Gitpaste-12 Malware via GitHub & Pastebin Attacks Linux Servers and IoT Devices

Recently, cybersecurity researchers have detected a new type of worm targeting Linux-based x86 servers and the Linux internet of things (IoT) devices. This new malware has been named Gitpaste-12, as it uses the GitHub, Pastebin, and other 12 ways that help it to compromise the system.

Juniper Threat Labs detected the first GitPaste-12 attacks on October 15, 2020; that’s why the cybersecurity researchers have reported both the Pastebin URL as well as the git repo. While here, the git repo was consummated on October 30, 2020. 

This new worm can grow in an automatic manner that can begin to lateral spread within an association or to your hosts that are attempting to affect other networks all over the internet. And all this results in poor reliability for your organization.


In this malware, the first stage is related to the initial system that has been compromised. As Gitpaste-12 has 12 different known attack modules and more below development. 

This worm always strive to use known exploits to negotiate the systems, and not only this, but it also attempts to brute force the passwords as well.

Once the malware is done with negotiating, it immediately sets up a cron job that it downloads from Pastebin, and later this job calls the same script and applies it again every minute. By doing this, all the updates regarding the cron job can easily be pushed to the botnet.

The malware starts up its cron job by setting the environment accordingly, which means it begins with stripping the system of its defenses, including firewall rules, SELinux, AppArmor, some common attack prevention, and monitoring software.

Worming Ability

If we talk about the capability, then Gitpaste-12 malware includes a script that generally launches attacks toward other machines; its main motive is to replicate and spread thoroughly. 

However, the Gitpaste-12 malware picks a random /8 CIDR for attack and then attempt all the addresses within that range.

Exploits of Gitpaste-12

Gitpaste-12 has some exploits that have been listed below:-

  • CVE-2017-14135: Webadmin plugin for opendreambox
  • CVE-2020-24217: HiSilicon based IPTV/H.264/H.265 video encoders
  • CVE-2017-5638: Apache Struts
  • CVE-2020-10987: Tenda router
  • CVE-2014-8361: Miniigd SOAP service in Realtek SDK
  • CVE-2020-15893: UPnP in Dlink routers
  • CVE-2013-5948: Asus routers
  • EDB-ID: 48225: Netlink GPON Router
  • EDB-ID: 40500: AVTECH IP Camera
  • CVE-2019-10758: Mongo db
  • CVE-2017-17215: Huawei router

Many cybersecurity researchers have affirmed that worm malware are very annoying and troublesome. The worm malware is filled with several features and abilities; its main ability is to spread in an automated mode that can begin to lateral spread within an institution. 

It can also spread to your hosts that have been trying to affect all other networks that are present on the internet; moreover, this worm provides the threat actors reverse shells. 

And according to the security experts, there are some infected systems that are using TCP ports 30004 and 30005 open to listening for shell commands.

You can follow us on LinkedinTwitterFacebook for daily Cyber Security and hacking news updates.

Also Read: 6 Best Free Malware Analysis Tools to Break Down the Advanced Malware Samples – 2020

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

10 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

14 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

14 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

16 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

17 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

18 hours ago