Hackers Exploiting GitHub and Pastebin Resources to Spread Malware

  • By Dawna M. Roberts
  • Published: Nov 09, 2020
  • Last Updated: Nov 23, 2023

Everything has ramped up in 2020, especially hackers, cybercriminals, and their techniques. Threat researchers recently discovered that hackers are using Gitpaste-12 botnet to target Linux and IoT devices.

Hackers’ Latest Trend

The latest trend seen by security professionals is hacker groups setting up botnets using legitimate resources such as Dropbox, Box, Github, and Pastebin to store malicious files undetected and make their files appear more authentic. 

Recently Juniper Threat Labs published a report regarding the Gitpaste-12 botnet, which they discovered in October. However, all indications point to the fact that hackers set it up in July 2020. The report noted that Gitpaste-12 botnet uses 12 different modules of malware to attack IoT devices and Linux applications.

What concerns threat researchers the most is the widespread use of legitimate online resources for malicious file repositories. Because the malware appears to come from secure, legitimate online resources, it may be harder to discover and more dangerous for victims. 

Juniper Threat Labs identified at least one purpose for Gitpaste-12, and it was crypto mining of cryptocurrency, specifically monero. 

According to Alex Burt and Trevor Pott of Juniper Threat Labs, ”Almost any free hosting can be used to host malware or as a command-and-control,” Burt tells Information Security Media Group. “GitHub and Pastebin provide HTTPS access, and it is easy to create new accounts. In many cases, it’s more convenient than creating their own hosting infrastructure because GitHub and Pastebin domains are not blacklisted by security companies. From a security team’s perspective, a traffic request to GitHub would not look suspicious.”

The Juniper team contacted both Github and Pastebin to notify them of the threat, and they responded quickly by taking down the infected areas.

How it Works

Recently another cybercriminal sent out phishing emails to the faculty members of a large college urging them to take a COVID-19 survey stored on Dropbox. The template used was infected with malicious macros. Thankfully, none of the recipients clicked the link or turned on macros before the IT department found the infection and alerted the authorities.

In their report, Juniper mentions that the botnet is specifically targeting open-source projects such as Apache Struts along with routers and other network devices from well-known manufacturers like Asus, Netlink, and Huawei. The method of entry is most often a brute-force attack. Once the botnet has control of the device, it will install malicious code that periodically checks back with the command-and-control server looking for updates. Juniper explains, “The malware begins by preparing the environment. This means stripping the system of its defenses, including firewall rules, SELinux, AppArmor, as well as common attack prevention and monitoring software.”

After examination of the code, security researchers found some of the writing to be Chinese.

Alarmingly, some of the modules also behave like worms infecting other devices to spread and expand the botnet further.

Juniper’s Burt and Pott comment, “No malware is good to have, but worms are particularly annoying. Their ability to spread in an automated fashion can lead to lateral spread within an organization or to your hosts attempting to infect other networks across the internet, resulting in poor reputation for your organization.”

So Many Threats on the Horizon

Over the past year, quite a few botnets have been discovered and a few temporarily disabled by authorities. Many are built specifically to target IoT devices and Linux applications. One such botnet, Kaiji, uses brute-force to target SSH protocols and uses denial-of-service attacks as well.

Just last month, in a joint effort, Microsoft and some government agencies took down the notorious Trickbot botnet crippling its operations, at least for now. 

Additionally, hackers are using another botnet named Kashmir Black to target vulnerable CMS system websites like WordPress, Joomla, and Magneto. 

As reported by DataBreach Today, Avira Protection Lab identified another botnet using a variant of Mirai to target IoT devices. This particular threat is highly sophisticated with individual encryption keys, denial-of-service capabilities, and self-replication techniques built-in. 

Why Botnets?

The term botnet is thrown around pretty liberally these days. So, what is a botnet? According to Kaspersky Labs, “Botnets are networks of hijacked computer devices used to carry out various scams and cyberattacks.” It’s also a combination of the two words “robot” and “network.”

These networks are set up to link exploited devices together to create a vast network of computers, applications, and other hardware that can then infect other devices for the theft of data, malware, ransomware infections, or other purposes. Usually, botnets are used in multi-layer schemes, and infecting the devices is only step one. Kaspersky has a great article here that explains all about botnets. 

The reason this model works so well is that once activated, the botnet works on its own, automating the process of growing the network and infecting devices. Botnets save time and effort so that hackers can focus on the prize. 

About the Author
IDStrong Logo

Related Articles

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagra ... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “A ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the co ... Read More

Exchange Server Bug Exposes a Big Risk to Hackers

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% ... Read More

Clients’ Bank Data Exposed in Blackbaud Ransomware Attack

Blackbaud software was victim to a ransomware attack last May, and new information suggests that c ... Read More

Latest Articles

What You Need to Know about the Hot Topic Data Breach

What You Need to Know about the Hot Topic Data Breach

Hot Topic plays in the fashion, apparel, and shoe industry as a retailer of music-influenced apparel and accessories, such as jeans, tops, belts, dresses, pajamas, sunglasses, jewelry, and tees.

Google Voice Scams: What They Are and How to Stay Safe

Google Voice Scams: What They Are and How to Stay Safe

Google Voice scams continue to pose a risk for users of this service. Scammers continuously attempt to lure users into divulging their verification PIN code.

What Are Pretexting Attacks: Scam Types and Security Tips?

What Are Pretexting Attacks: Scam Types and Security Tips?

Have you ever received a text from someone you do not know? Did you become alarmed by the message? Did the message contain information about you and the people you know?

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Notice

By proceeding with this scan, you agree to let IDStrong run a Free Scan of supplied parameters of your personal information and provide free preliminary findings in compliance with our Terms of Use and Privacy Notice. You consent to us using your provided information to complete the Free Scan and compare it against our records and breach databases or sources to provide your Free preliminary findings report.

Rest assured: IDStrong will not share your information with third parties or store your information beyond what is required to perform your scan and share your results.

Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address
Close