Gitpaste-12 Malware Targets Multiple Known Vulnerabilities

Gitpaste-12 is a wormable malware which has the ability to form a network of bots for crypto-mining which is now targeting Multiple Known Vulnerabilities.
Updated on
April 19, 2023
Published on
December 1, 2020
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Advisory Malware Intelligence
Malware  Gitpaste-12
Targets x86_Linux Servers/Linux ARM&MIPS (IoT)
[/vc_wp_text][vc_column_text]Gitpaste-12 is a wormable malware which has the ability to form a network of bots for crypto-mining. Gitpaste-12 is also capable of cracking passwords via brute-forcing and using exploits for known vulnerabilities on infected hosts. The malware uses GitHub and Pastebin to host its code and payload. Pastebin is used as a Command and Control (C&C) to control its victims.  As part of defence evasion, the malware disables firewalls, monitoring solutions, Linux AppArmor etc., to prepare the environment for further compromise. It also targets lower-end systems of ARM and MIPS, especially IoT devices.

Known vulnerabilities targeted by the malware

CVE-2017-14135 Webadmin plugin for opendreambox
CVE-2020-24217 HiSilicon based IPTV/H.264/H.265 video encoder
CVE-2017-5638 Apache Struts
CVE-2020-10987 Tenda router
CVE-2014-8361 Miniigd SOAP service in Realtek SDK
CVE-2020-15893 UPnP in dlink routers
CVE-2013-5948 Asus routers
EDB-ID: 48225 Netlink GPON Router
EDB-ID: 40500 AVTECH IP Camera
CVE-2019-10758 MongoDB
CVE-2017-17215 Huawei router
Note: EBD-ID : Exploit Database ID  

Malware Components

  • Miner module
  • Hide.so defense evasion module
  • Miner Config
  • Shell Script
 

Impact 

Technical Impact

  • Unauthorized access to filesystem and operating system functionalities.
  • Disables security solutions without users’ consent, thus creating false sense of security.
  • Unauthorized resource consumption for crypto mining.  
 

Business Impact

  • Performance loss of servers and other assets due to excessive crypto-mining. 
  • Violation of confidentiality, integrity, and availability of information systems leading to loss of trust and reputation.
  • Cost of remediation to “clean” the infected systems.
 

Mitigation

  • Deployment of Host based Intrusion Detection and Prevention System (IDPS).
  • Strict firewall filtering.
  • Updated monitoring tools and Endpoint detection and response (EDR) solutions.
  • Effective traffic control and monitoring.
  • Effective resource usage monitoring.
 

Indicators of Compromise (IOCs)

URLs   Service Ports
  • 30004/TCP
  • 30005/TCP
  Hashes (SHA-256)
  • Miner
E67f78c479857ed8c562e576dcc9a8471c5f1ab4c00bb557b1b9c2d9284b8af9
  • Hide.so
Ed4868ba445469abfa3cfc6c70e8fdd36a4345c21a3f451c7b65d6041fb8492b
  • Miner Config
Bd5e9fd8215f80ca49c142383ba7dbf7e24aaf895ae25af96bdab89c0bdcc3f1
  • Shell script
5d1705f02cde12c27b85a0104cd76a39994733a75fa6e1e5b014565ad63e7bc3

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations