May 29, 2023
GITY Worm

Gitpaste-12 is a new worm recently discovered uses GitHub and Pastebin for housing component code and has at least 12 different attack modules available ways to compromise

The GitHub repository used at the time of discovery was as follows:

https://github[.]com/cnmnmsl-001/-

Gitpaste-12 Core

The first phase of the attack is the initial system compromise .This worm has 12 known attack modules and more under development. The worm will attempt to use known exploits to compromise systems and may also attempt to brute force passwords.

Once compromising a system, the malware sets up a cron job it downloads from Pastebin, which in turn calls the same script and executes it again each minute. This is presumably one mechanism by which updates to the cron jobs can be pushed to the botnet.

The main shell script uploaded during the attack to the victim machine starts to download and execute other components of Gitpaste-12. First, it downloads and sets up cron job, which periodically downloads and executes script from Pastebin:

Next, it downloads from GitHub (https://raw.githubusercontent[.]com/cnmnmsl-001/-/master/shadu1) and executes it.

The malware begins by preparing the environment. This means stripping the system of its defenses, including firewall rules, selinux, apparmor, as well as common attack prevention and monitoring software.

The shadu1 script contains comments in the Chinese language and has multiple commands available to attackers to disable different security capabilities,

Another capability is demonstrated in the ability to run miner for monero cryptocurrency

Worming Spread

The Gitpaste-12 malware also contains a script that launches attacks against other machines, in an attempt to replicate and spread. It chooses a random /8 CIDR for attack and will try all addresses within that range, as demonstrated by this call:

Another version of the script also opens ports 30004 and 30005 for reverse shell commands:

Final thought

No malware is good to have, but worms are particularly annoying. Their ability to spread in an automated fashion can lead to lateral spread within an organization or to your hosts attempting to infect other networks across the internet, resulting in poor reputation for your organization.

Tags:

Leave a Reply

Related Post

Powerful Encryption Tool !

Powerful Encryption Tool !

July 27, 2021
Misconfigured Argoflows targets Kubernetes

Misconfigured Argoflows targets Kubernetes

July 26, 2021

You may have missed

CrowdStrike strategy dominates MDR Market

CrowdStrike strategy dominates MDR Market

May 28, 2023
TheCyberThrone Security Week In Review–May 27, 2023

TheCyberThrone Security Week In Review–May 27, 2023

May 28, 2023
Zyxel Patches Critical Buffer Overflow Vulnerability

Zyxel Patches Critical Buffer Overflow Vulnerability

May 27, 2023
Apria Data Breach affects 2 million customers

Apria Data Breach affects 2 million customers

May 27, 2023
CosmicEnergy Malware Shutting Electric grid

CosmicEnergy Malware Shutting Electric grid

May 27, 2023
Operation Magalenha from Brazil

Operation Magalenha from Brazil

May 27, 2023
%d bloggers like this: