Sophisticated Worming Botnet Remained Hidden on GitHub for Months

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

A worming botnet called “Gitpaste-12” was found lurking on hosting service GitHub and leveraging Pastebin, somehow managing to pass undetected while at the same time attacking a large number of Linux servers. The name is a portmanteau of the two legit platforms that are abused, while the number “12” stands to denote the number of vulnerabilities exploited by the malware (11 plus the telnet).

For a worm of this kind, 12 exploits are more than enough to move around with versatility.

Source: Juniper blog

The discovery of the malware eventually came by researchers of the Juniper Networks, back on October 15, 2020, and by that time, Gitpaste-12 had spent three months there. GitHub needed another two weeks before they eventually responded by uprooting the malware from the reported git repository, momentarily stopping the spread of the botnet.

Targeting Linux servers means dealing with sophisticated security tools like SELinux and AppArmor, but Gitpaste-12 ensures that all of these solutions are disabled and firewall rules are deleted before it makes another step in the compromised system. Then, the attacker uses a reverse shell on TCP ports 30004 and 30005.

The worm comes with a Monero miner that is specifically customized to stay hidden from process monitors. Additionally, the worm sets a cronjob for persistence and can find and break into more IoT devices on the network through credentials brute-forcing.

Source: Juniper blog

While the first wave of attacks has now been dealt with, Gitpaste-12 isn’t expected to pass in history just yet. Its sophisticated and capable authors will find another way to distribute the bot, and possibly, will evolve/improve the detection-evading code and bring it back on a new git repository. Moreover, Gitpaste-12 might not stay on Linux servers and IoTs forever, even though its current exploit set focuses on them.

Related: New “Mirai” Variant Is Exploiting Tenda Router Zero-Days

The list of the flaws that are actively exploited by Gitpaste-12 is given below:

The best way to deal with this threat would be to apply IoT firmware and software updates. Botnets are rarely using zero-days for propagation, so applying the available updates quickly is a very effective method of protection against them.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: