Gitpaste-12 Operators Launch Malware Campaign with New Tools

Security researchers have identified yet another campaign from the Gitpaste-12 worm operators, but this time they’re trying to leverage more vulnerabilities and even compromise open Android Debug Bridge connections.

Gitpaste-12 used GitHub and Pastebin to spread but, following its discovery, the project was quickly shut down. Now, likely the same operators started a new attack from another GitHub repository. This time, though, they added a Linux crypto miner, a list of passwords for brute-force attacks and a statically linked Python 3.9 interpreter.

During the research conducted by the Juniper Threat Labs, the operators added a configuration file for a Monero crypto-mining program and a UPX-packed local privilege escalation exploit for x86_64 Linux systems. The Monero address is the same as the one used in the previous attacks.

“The worm then commences a wide-ranging series of attacks comprising at least 31 known vulnerabilities — seven of which were also seen in the previous Gitpaste-12 sample — as well as attempts to compromise open Android Debug Bridge connections and existing malware backdoors,” said the researchers. “The attacks target web applications, IP cameras, routers and more.”

One aspect that sets this worm apart is the attempt to connect to Android Debug Bridge connections on port 5555.

“On successful connection, X10-unix runs a script that uploads a native binary (‘blu’) and an Android APK (weixin.apk), both base64-encoded,” the researchers explain. “Blu probes the device’s Bluetooth hardware and installs the APK. The APK uploads the device’s IP address to Pastebin as above and then downloads and installs an ARM CPU port of X10-unix.”

Because the attackers use Monero, transactions are not traceable, which makes it difficult to estimate just how successful the attack really was, but the infection has already spread to hundreds of endpoints. The researchers also published indicators of compromise, which should help speed up detection.