Researchers have found a new worm targeting Linux based x86 servers, as well as Linux internet of things (IoT) devices (that are based on ARM & MIPS CPUs).
The newly discovered malware uses GitHub and Pastebin to house component code, & harbours 12 different initial attack vectors.
Note, the malware utilises GitHub & Pastebin for housing malicious component code, & has at least 12 different attack modules available – leading researchers to call it “Gitpaste-12.” It was 1st detected by Juniper Threat Labs in attacks on Oct. 15, 2020.
“No malware is good to have, but worms are particularly annoying,” commented researchers with Juniper Threat Labs in a Thur. post. “Their ability to spread in an automated fashion can lead to lateral spread within an organisation or to your hosts attempting to infect other networks across the internet, resulting in poor reputation for your organisation.”
The 1st phase of the attack is the initial system compromise. The malware’s various attack modules include 11 previously-disclosed vulnerabilities. That includes flaws in Apache Struts (CVE-2017-5638), Asus routers (CVE-2013-5948), Webadmin plugin for opendreambox (CVE-2017-14135) & Tenda routers (CVE-2020-10987).
The malware will attempt to use known exploits for these flaws to compromise systems & may also attempt to ‘brute force’ passwords, observed researchers. After compromising a system, a main shell script is then uploaded to the victim machine, & starts to download & execute other components of Gitpaste-12.
This script sets up a ‘cron job’ it downloads from Pastebin. A cron job is a time-based job scheduler in Unix-like computer operating systems. The cron job calls a script & executes it again each minute; researchers believe that this script is presumably one mechanism by which updates can be pushed to the botnet.
It then downloads a script from GitHub (https://raw[.]githubusercontent[.]com/cnmnmsl-001/-/master/shadu1) & executes it. The script contains comments in the Chinese language & has multiple commands available to attackers to disable different security capabilities.
These include stripping the system’s defences, including firewall rules, selinux (a security architecture for LinuxR systems), apparmor (a Linux kernel security module that allows the system administrator to restrict programs’ capabilities), as well as common attack prevention & monitoring software.
The malware also has some commands that disable cloud security agents, “which clearly indicates the threat player intends to target public cloud computing infrastructure provided by Alibaba Cloud & Tencent,” observed researchers.
Gitpaste-12 also features commands allowing it to run a crypto-miner that targets the Monero cryptocurrency.
“It also prevents administrators from collecting information about running processes by intercepting ‘readdir’ system calls & skip directories for processes like tcpdump, sudo, openssl, etc. in ‘/proc’,” explained researchers. “The ‘/proc’ directory in Linux contains information about running processes.
It is used, for example, by the ‘ps’ command to show information about running processes. But unfortunately for this threat actor, this implementation does not do what they expect it to do.”
Finally, the malware also contains a library (hide.so) that is loaded as LD_PRELOAD, which downloads & executes Pastebin files )https://pastebin[.]com/raw/Tg5FQHhf) that host further malicious code.
Researchers said they reported the Pastebin URL, as well as the Git repo mentioned above that downloads malicious scripts for the malware. The Git repo was closed on Oct. 30, 2020. “This should stop the proliferation of this botnet,” suggested researchers.
In terms of its worming capabilities, Gitpaste-12 also contains a script that launches attacks against other machines, in an attempt to replicate & spread the malware.
“The malware chooses a random /8 CIDR for attack & will try all addresses within that range,” according to researchers. Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses & for IP routing – meaning that the attack targets all IP addresses within the random CIDR’s range.
Another version of the script also opens ports 30004 & 30005 for reverse shell commands, outlined researchers. Port 30004 uses the Transmission Control Protocol (TCP), which is one of the main protocols in TCP/IP networks; while port 30005 is a bidirectional SOAP/HTTP-based protocol, which provides communication between devices like routers or network switches, & auto-configuration servers.
Worms can have a wide impact, as seen in a 2019 campaign that exploited a vulnerability in the Exim mail transport agent (MTA) to gain remote command-execution on victims’ Linux systems, using a wormable exploit. Researchers commmented that currently more than 3.5m servers were at risk from the attacks.
Several new worms have appeared in 2020 so far, including the Golang worm, which is aimed at installing crypto-miners, & recently changed up its tactics to add attacks on Windows servers & a new pool of exploits to its methodology.
In Aug., a cryptomining worm from the group known as TeamTNT was found spreading through the Amazon Web Services (AWS) cloud & collecting credentials. Once the logins are harvested, the malware logs in & deploys the XMRig mining tool to mine Monero cryptocurrency.