Gitcast-12 botnet returns to target Linux server, IOT device

A new wormable botnet named has spread through GitHub and Pastebin to install cryptocurrency miners and Backdoors on the target system, and has returned with extended capabilities to destroy web applications, IP cameras and routers.

Earlier last month, researchers at juniper thread labs documented an encrypted mining activity called “gitpaste-12,” which uses GitHub to host malicious code containing up to 12 known attack modules executed through commands downloaded from the Pastebin URL.

The attack occurred within 12 days from October 15, 2020, and then the Pastebin URL and repository were shut down on October 30, 2020.

According to juniper, the second wave of attacks began on November 10, using payloads from another GitHub repository, including a Linux encryption miner (“LS”), which contains a list of password attempts (“passed”) for brute force cracking, as well as for x86_ 64 Linux system local privilege upgrade vulnerability.

The initial infection takes place via X10 UNIX, a binary written in the go programming language, and then downloads the next phase of the payload from GitHub.

“The worm has carried out a wide range of attacks against web applications, IP cameras, routers, etc., including at least 31 known vulnerabilities (seven were also found in the previous example), and attempts to break open debug bridge connections and existing malware backdoors,” said Asher Langton, a network researcher at Zhanbo, in an analysis on Monday.

The list of 31 vulnerabilities includes remote code vulnerability in F5 BIG-IP traffic management user interface (cve-2020-5902), PI hole web (cve-2020-8816), Tenda ac15 ac1900 (cve-2020-10987), vBulletin (cve-2020-17496), and SQL injection error in fuel CMS (cve-2020-17463), which have been exposed this year.

It is worth noting that a new variant of Mirai botnet was discovered in October. Ttint uses two Tenda router Zero Day vulnerabilities (including cve-2020-10987) to spread remote access Trojan (rat) service attacks that can perform denial attacks, execute malicious commands and implement reverse shells for remote access.

In addition to installing X10 UNIX and monero encryption mining software on the machine, the malware also opened the back door of monitoring ports 30003 and 30006, uploaded the victim’s external IP address to private Pastebin, and tried to connect to debug bridge on port 5555.

After successful connection, it will continue to download APK files(“ weixin.apk ”)The file will eventually install the ARM CPU version of X10 UNIX.

According to juniper’s estimate, a total of at least 100 different hosts have been identified to spread the infection.