The Malicious Use of Pastebin

guest · Aug 3, 2019

The Malicious Use of Pastebin
August 2, 2019
https://www.fortinet.com/blog/threat-research/malicious-use-of-pastebin.html

The FortiGuard Labs threat research team has been noticing for some time that Pastebin and similar services are being used by malware authors, sometimes to evade detection or to obscure their purposes. However, we had no idea how common this practice is or what sorts of malicious content might be stored there.

Malware authors, for example, often store part of the malicious content in their malware on it, and then fetch it later from inside the malicious executable using the share link. A recent FortiGuard Labs blog on the Rocke coin mining malware shows one practical use case for this practice.

However, what I discovered was a wide variety of malicious scripts, stolen credentials, encoded content, and malware. The result of this research, based on examining thousands of pastes, is as follows.
Base64 Encoded Content: Over 8,000 of these files fell into this category. Among them there were obfuscated scripts, some hashes, and countless binary data. Surprisingly, I also found some ELF/PE executable files. Listed below is the MD5 hash of a few of these files and their status on VirusTotal. [...]
Click to expand...

Pastebin is Just the Tip of the Iceberg
I only checked the Pastebin service for malicious files, but there are a number of similar services. However, some of them don’t index posted entries so they are not easy to scrape. Because of this, they may be even more interesting to cybercriminals – which also means the content on these other services may be even more interesting to cybersecurity professionals as well.
Click to expand...

guest · Apr 16, 2020

PasteBin just made it easier for hackers to avoid detection, researchers say
April 16, 2020
https://www.cyberscoop.com/pastebin-research-cybercrime-osint-scraping/

A policy change at a seemingly innocuous website could make it more difficult to stop hackers, according to information security experts who track malicious software in the wild.

PasteBin, a text repository where developers share internet code, said on Wednesday it has discontinued a service that charged users a $50 one-time fee to search the site for new data.
Researchers had used the scraping API to scour PasteBin for cybercriminal activity, as hackers frequently posted stolen personal data and malicious code to the site.

“This was used … to filter for malicious payloads that had been uploaded, or in some cases where criminals have uploaded people’s data,” said James Hemmings, a penetration tester.
Click to expand...

PasteBin’s decision could similarly hamper research efforts by making it harder to detect behavior, such as a recent update to the Nanocore RAT malware.

That remote access tool, highlighted by the @ScumBots feed [...] the malware flagged Monday by @ScumBots was detected by 65 of 73 security tools in the VirusTotal repository by press time Thursday.

“ScumBots would have picked that up minutes after it was posted to PasteBin,” said researcher Oliver Hough, who monitors the feed. “[Antivirus companies] would have got there eventually but ScumBots certainly helped.”
The change coincides with an editorial in the national security blog Lawfare calling for more cybercrime data to aid investigations.
Click to expand...

Vice Motherboard first reported on the change at PasteBin.
Click to expand...

guest · Sep 28, 2020

Pastebin adds 'Burn After Read' and 'Password Protected Pastes' to the dismay of the infosec community
The two new features will make it easier to disguise malware operations
September 26, 2020
https://www.zdnet.com/article/paste...astes-to-the-dismay-of-the-infosec-community/

Pastebin, the most popular website where users can share small snippets of text, has added two new features today that cyber-security researchers believe are going to be widely and wildly abused by malware operators.

Named "Burn After Read" and "Password Protected Pastes," the two new features allow Pastebin users to create pastes (pieces of text) that expire after a single read or pastes that are protected by a password.
None of the two features are original, as they have been present on many paste sites for years.

However, they are new to Pastebin, which is, by far, today's most popular pastes portal, being ranked in the Alexa Top 2,000 most popular sites on the internet.
Click to expand...

PASTEBIN HAS BEEN ABUSED IN MALWARE OPERATIONS
As with anything popular, this has also attracted a lot of bad content that's has been hosted on the platform. While some people use it to host pieces of code or text they wanted to share with a colleague, over the past decade, Pastebin has also turned into a de-facto hosting service for malicious code.

Ted Samuels, an incident response (IR) consultant, told ZDNet today that it's hard to put a number or percentage on Pastebin's presence in malware operations, but described it as "not uncommon."

"Pastebin is by far the most prolific 'paste site' and fairly popular staging ground for fileless attacks using PowerShell. For example, a threat actor's initial payload may use PowerShell to download additional (and often obfuscated) content from pastebin.com for further execution via PowerShell. The prolific CobaltStrike framework can be loaded this way."
Click to expand...

"Unless they're taking measures that aren't immediately apparent to prevent the use of Burn After Reading and Password Protection for C2 and malware staging, those would seem to be pretty helpful new features for attackers who use PasteBin for those ends," Brian, a security researcher from Pittsburgh, told ZDNet.

But the new features go beyond just detecting what was uploaded on the site in real-time. It also impacts post-infection IR investigations.
"This new change will now make it harder for incident responders to quickly evaluate what may have been downloaded and executed in some environments," Samuels told ZDNet.
Click to expand...

guest · Dec 10, 2020

njRAT Trojan operators are now using Pastebin as alternative to central command server
Avoiding C2 infrastructure could help hackers avoid detection
December 10, 2020
https://www.zdnet.com/article/njrat...bin-as-alternative-to-central-command-server/

Operators of the njRAT Remote Access Trojan (RAT) are leveraging Pastebin C2 tunnels to avoid scrutiny by cybersecurity researchers.

On Wednesday, Palo Alto Networks' Unit 42 cybersecurity team said njRAT, also known as Bladabindi, is being used to download and execute secondary-stage payloads from Pastebin, scrapping the need to establish a traditional command-and-control (C2) server altogether.
Since October, at the least, operators have used Pastebin, a text storage and release platform, as a host for payloads which differ in form and shape.
Click to expand...

The "Pastebin C2 tunnel" now in use, as described by the researchers, creates a pathway between njRAT infections and new payloads. With the Trojan acting as a downloader, it will grab encoded data dumped on Pastebin, decode, and deploy.
Click to expand...

Palo Alto Networks - Unit42: njRAT Spreading Through Active Pastebin Command and Control Tunnel

In observations collected since October 2020, Unit 42 researchers have found that malware authors have been leveraging njRAT (also known as Bladabindi), a Remote Access Trojan, to download and deliver second-stage payloads from Pastebin, a popular website that is well-known to be used to store data anonymously. Attackers are taking advantage of this service to post malicious data that can be accessed by malware through a shortened URL, thus allowing them to avoid the use of their own command and control (C2) infrastructure and therefore increasing the possibility of operating unnoticed.
Click to expand...

Log in or Sign up

The Malicious Use of Pastebin

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

The Malicious Use of Pastebin

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches