New Botnet Worm Infecting Open-source Tools
Gitpaste-12 was named after the botnet worm spreading through GitHub repositories, and is using Pastebin to host its malicious payloads. This was first discovered in October this year, where it came with 12 known exploits. And now, it’s reported to have come with 31 exploits, attacking Android and open-source tools, IoT, and Linux devices.
As documented by the Juniper Threat Labs, this latest iteration of Gitpaste-12 found on a different GitHub repository with just three files initially. These included a Linux cryptocurrency miner, a passwords list for brute-force attack, and a Python 3.9 interpreter with an unknown cause. Later, more exploits were added to the Gitpaste-12. These include a Linux exploit called UPX pack for privilege escalation and a configuration file as “config.json” for mining Monero cryptocurrency. Authors have been minting coins to the same Monero address as Gitpaste-12’s first iteration. It’s said that Gitpaste-12 starts with downloading a payload from its repository and makes a backdoor and a cryptocurrency miner in the host machine. Later, it spreads further to infect the connected Android devices through Android Debug Bridge and IoT devices like routers and cameras. Researchers listed out all the 31 exploits that Gitpaste-12 attacks on, and these include some open-source tools like mongo-express, CutePHP, FuelCMS, and JBoss Seam 2. While it’s unknown how successful this new botnet worm is, since it uses untraceable Monero cryptocurrency, researchers said they had identified over 100 distinct hosts. While we see how Gitpaste-12 evolves, researchers have listed the IOCs, identifiers, and all 31 exploits. Check out; https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1871 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3313 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8361 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17215 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17562 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11511 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10758 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11447 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19509 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5902 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8816 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10987 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17463 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17496 https://www.exploit-db.com/exploits/37474 https://www.exploit-db.com/exploits/40500 https://www.exploit-db.com/exploits/45135 https://www.exploit-db.com/exploits/45161 https://www.exploit-db.com/exploits/46542 https://www.exploit-db.com/exploits/48225 https://www.exploit-db.com/exploits/48358 https://www.exploit-db.com/exploits/48676 https://www.exploit-db.com/exploits/48734 https://www.exploit-db.com/exploits/48737 https://www.exploit-db.com/exploits/48743 https://www.exploit-db.com/exploits/48751 https://www.exploit-db.com/exploits/48758 https://www.exploit-db.com/exploits/48771 https://www.exploit-db.com/exploits/48775 https://www.exploit-db.com/exploits/48805 https://www.exploit-db.com/exploits/48827
