A new wormable botnet that spreads via GitHub and Pastebin to install cryptocurrency miners and backdoors on target systems has returned with expanded capabilities to compromise web applications, IP cameras, and routers.
Early last month, researchers from Juniper Threat Labs documented a crypto-mining campaign called “Gitpaste-12,” which used GitHub to host malicious code containing as many as 12 known attack modules that are executed via commands downloaded from a Pastebin URL.
The attacks occurred during a 12-day period starting from October 15, 2020, before both the Pastebin URL and repository were shut down on October 30, 2020.
Now according to Juniper, the second wave of attacks began on November 10 using payloads from a different GitHub repository, which, among others, contains a Linux crypto-miner (“ls”), a file with a list of passwords for brute-force attempts (“pass”), and a local privilege escalation exploit for x86_64 Linux systems.
The initial infection happens via X10-unix, a binary written in Go programming language, that proceeds to download the next-stage payloads from GitHub.
“The worm conducts a wide-ranging series of attacks targeting web applications, IP…