A recently discovered botnet called Gitpaste-12 has returned with a new assault targeting web applications, IP cameras, and routers.
Where did it begin?
Gitpaste-12 was first discovered by Juniper Threat Labs in October.
- The malware derives its name from GitHub, and Pastebin - which are used for propagation - and 12 different exploits for previously-known vulnerabilities. The flaws are related to Apache Struts, Asus routers, Webadmin plugin for opendreambox, and Tendo routers.
- The botnet also features commands allowing it to run a cryptominer that targets the Monero cryptocurrency.
- Moreover, the worming capabilities of Gitpaste-12 enable the botnet to replicate and spread silently across systems.
What’s the latest update?
- Soon after its discovery, the Juniper researchers detected a new round of attacks from the botnet in the first half of November. These attacks were targeted at web applications, IP cameras, routers, and more.
- This was accomplished using a new version of Gitpaste-12 that includes exploits for at least 31 vulnerabilities, out of which 12 are borrowed from the previous version.
- The new sample, called X10-unix, is a UPS-packed binary written in Go language and compiled for x86_64 Linux systems.
- Among its other capabilities, the malware also attempts to compromise open Android Debug Bridge connections and existing malware backdoors.
No malware is good, but botnets blended with worm capabilities are particularly annoying because of their ability to spread in an automated fashion. That can lead to lateral spread within an organization, ultimately affecting other networks across the internet and impacting the reputation of organizations.