Gitpaste-12 Worm - Sneaking through the Systems

Garima Kejriwal

December 14, 2020

The Gitpaste-12 worm has been brought into the limelight once again, a few weeks after its discovery in late October by Juniper Threat Labs where it was found targeting Linux based x86 servers, as well as Linux Internet of Things (IoT) devices. This malware has been named so because of the involvement of GitHub, Pastebin and 12 ways to compromise the system. The first phase of the attack is the initial system compromise. The malware will attempt to use known exploits for these flaws to compromise systems and may also try to brute force passwords. After compromising a system, the main shell script is then uploaded to the victim machine and starts to download and execute other components of Gitpaste-12. It has now returned in new attacks targeting web applications, IP cameras and routers, this time with an expanded set of exploits for initially compromising devices. A new sample discovered in Gitpaste-12’s initial attack repository shows that the worm has expanded the area of those attack vectors. Gitpaste-12 now also attempts to compromise open Android Debug Bridge connections, and existing malware backdoors. Their ability to spread in an automated can lead to lateral spread within an organization or hosts attempting to infect other networks across the internet, resulting in a poor reputation for the organization.

Abridged fromThreatpost