This new malware wants to add your Linux servers and IoT devices to its botnet

Gitpaste-12 malware has many different ways of spreading itself to potential victims, and could be the first stage of a multi-stage hacking campaign.
Written by Danny Palmer, Senior Writer

A new form of malware is targeting Linux servers and Internet of Things (IoT) devices and adding them to a botnet in what appears to be the first stage of a hacking campaign targeting cloud-computing infrastructure – although the purpose of the attacks remains unclear.

Uncovered by cybersecurity researchers at Juniper Threat Labs, the malicious worm has been dubbed Gitpaste-12, reflecting on how it uses GitHub and Pastebin for housing component code and has 12 different means of compromising Linux-based x86 servers, as well as Linux ARM- and MIPS-based IoT devices.

These include 11 known vulnerabilities in technology including Asus, Huawei and Netlink routers, as well as the likes of MongoDB and Apache Struts, and the ability to compromise systems by using brute force attacks to crack default or common usernames and passwords.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

After using one of these vulnerabilities to compromise the system, Gitpaste-12 downloads scripts from Pastebin in order to provide commands before also downloading further instructions.

The malware aims to switch off defences including firewalls and monitoring software that would otherwise respond to malicious activity.

Gitpaste-12 also contains commands to disable cloud security services of major Chinese infrastructure providers including Alibaba Cloud and Tencent, indicating the botnet might be the first stage of a large multi-stage operation by attackers – although the ultimate purpose of what this could be for remains unknown.

However, the malware does currently have the capability to run cryptomining, meaning the attackers can abuse the computing power of any compromised system to mine for Monero cryptocurrency.

The botnet also has the ability to work as a worm that uses compromised machines to launch scripts against other vulnerable devices on the same or connected networks in an effort to replicate and spread the malware.

"No malware is good to have, but worms are particularly annoying. Their ability to spread in an automated fashion can lead to lateral spread within an organization or to your hosts attempting to infect other networks across the internet," researchers wrote in a blog post.

SEE: These software bugs are years old. But businesses still aren't patching them

The Pastebin URL and GitHub repository being used to provide instructions to the malware have both been shut down after being reported by researchers, something which should stop the proliferation of the botnet for now. However, researchers also note that Gitpaste-12 is under ongoing development, which means there's a risk that it could return.

However, it's possible to help protect against Gitpaste-12 by cutting off the main way in which it spreads by applying the security patches which close the known vulnerabilities it exploits.

Users should also avoid using default passwords for IoT devices as this helps protect against brute force attacks that rely on exploiting default credentials and other common passwords.


Editorial standards