Botnet Operators Abusing Legit GitHub, Pastebin ResourcesResearchers: 'Gitpaste-12' Botnet Mainly Targets Linux And IoT Devices
The operators behind a recently uncovered botnet dubbed "Gitpaste-12" are abusing legitimate services such as GitHub and Pastebin to help hide the malware's malicious infrastructure, according to report from Juniper Threat Labs.
The botnet, which was first uncovered in October but appears to have been activated in July, mainly targets vulnerable Linux applications as well as internet of things and other connected devices, according to Juniper. The researchers also note that the malware contains at least 12 separate attack modules to help it infect new endpoints and apps.
While the ultimate purpose of the botnet is not fully known, the Juniper analysis finds that Gitpaste-12 comes equipped with cryptomining capabilities and can specifically mine monero cryptocurrency, according to the report.
It is the use of legitimate services such as Pastebin and Github, however, that stood out when the researchers first came across the botnet last month, according to the report.
By using Pastebin and GitHub, the malware can remain hidden from firewalls and proxies. This allows the operators to act stealthily while building the botnet and sending instructions through the command-and-control server, according Juniper's Alex Burt and Trevor Pott note in their report.
"Almost any free hosting can be used to host malware or as a command-and-control," Burt tells Information Security Media Group. "GitHub and Pastebin provide HTTPS access and it is easy to create new accounts. In many cases, it's more convenient than creating their own hosting infrastructure because GitHub and Pastebin domains are not blacklisted by security companies. From a security team's perspective, a traffic request to GitHub would not look suspicious."
Juniper has contacted GitHub and Pastebin about the resources abused by Gitpaste-12, and GitHub responded by taking down a section of its platform used to host malicious code on Oct. 27, which has slowed its spread, according to the report.
The Juniper analysis finds the Gitpaste-12 botnet will target connected devices and Linux applications with known vulnerabilities and flaws. This includes open source projects such as Apache Struts as well as routers and other devices manufactured by Huawei, Netlink, Asus and others, according to the report.
In most cases, the botnet will attempt to a brute-force attack on these devices or apps to gain access to then exploit a specific vulnerability, the researchers note.
If successful at compromising the device or application, the botnet will download a malicious script from a Pastebin URL and continue to connect to that link every minute to check for updates from the command-and-control server, according to the report.
"The malware begins by preparing the environment. This means stripping the system of its defenses, including firewall rules, SELinux, AppArmor, as well as common attack prevention and monitoring software," Burt and Pott note in their analysis.
In one of the scripts that helps disable security features, the two researchers found comments written in Chinese, according to the report.
The Gitpaste-12 botnet also contains a script that gives the malware worm-like capabilities that can allow it to infect other devices and spread, according to the report.
"No malware is good to have, but worms are particularly annoying," Burt and Pott note. "Their ability to spread in an automated fashion can lead to lateral spread within an organization or to your hosts attempting to infect other networks across the internet, resulting in poor reputation for your organization."
Other Botnet Activity
Security researchers have found other examples of botnets that target Linux servers and applications as well as IoT devices. In May, researchers uncovered a botnet dubbed Kaiji that uses brute-force methods targeting the SSH protocol to infect endpoints, which also allows it to launch distributed denial-of-service attacks (see: Kaiji Botnet Targets Linux Servers, IoT Devices).
Last month, researchers at security firm Avira Protection Lab identified a new strain of the Mirai botnet targeting vulnerable IoT devices. This botnet includes denial-of-service capabilities, separate encryption keys for each source, fast self-replication and secure connection to its command-and-control servers (see: Even in Test Mode, New Mirai Variant Infecting IoT Devices ).