New worming botnet Gitpaste-12 infecting IoT devices, Linux servers

Gitpaste-12 uses GitHub and Pastebin for framing the component code and has 12 different attack modules.

Juniper Threat Labs has discovered a new worming botnet boasting of multiple ways of spreading itself and infecting IoT devices and Linux servers. Researchers believe that this hacking campaign may have multiple stages.

The malware is dubbed Gitpaste-12 because it uses GitHub and Pastebin for framing the component code and has 12 different attack modules. Out of these 12, 11 are known vulnerabilities, found in Netlink and Huawei routers and even in Apache Struts and MongoDB.

Gitpaste-12 is targeting cloud computing infrastructure. However, the objective behind this campaign is yet unknown. It can compromise systems through brute force attacks and obtains default or common usernames and passwords.



After using one of the 12 vulnerabilities, the malware downloads scripts from Pastebin to provide commands before downloading a new set of instructions from a GitHub depositary. It switches off all security defenses, such as monitoring software or firewalls, to avoid detection.

Anatomy of Gitpaste-12

The first attacks of the malware were discovered on 15 Oct 2020. Juniper Threat Labs’ cybersecurity researchers reported the Pastebin URL and the git repo, which was closed by 30 Oct 2020 to stop the botnet’s proliferation.

The worm targets Linux-based x86 servers and ARM and MIPS CPUs based Linux IoT devices and adds them to its army of botnets. It contains commands to disable cloud security services from leading Chinese services like Tencent and Alibaba Cloud, that’s why researchers believe that it could be a multi-stage campaign.



The malware can perform cryptomining, which indicates that attackers can abuse any compromised system by using its computing power to mine for Monero.

Researchers noted in their blog post that worms are “particularly annoying,” because they can spread automatically and laterally spread within an organization or host to infect as many networks as possible.

This adversely affects the organization’s reputation. They further stated that the malware is still developing; therefore, it is quite likely that it will make a comeback.

To protect against Gitpaste-12, it is essential to cut off the primary method with which it spreads. This is possible through the application of security patches to close the known vulnerability that it is exploiting. It is also necessary to avoid using the default password to prevent brute force attacks.

You may also like...