Juniper experts have identified numerous malicious campaigns that use paste sites (instead of conventional C&C servers) to deliver payloads. Malware downloads payloads from paste-sites and thus hackers hide their malicious code in plain sight and, among other things, save on infrastructure.
Researchers write that attackers use legitimate paste services like paste.nrecom[.]net to host their payloads. For example, this service is based on the open-source implementation of Pastebin, called Strikked, and has been operating since 2014.Although the site only supports plain text files and not binaries, as you know, any data, including binary ones, can be represented as ASCII. This is what did operators of the malware detected by the specialists.
“Since this service only works with text, you might think that you can’t put an executable file (binary data) there. However, binary data can be represented as a text file simply by encoding it. The usual encoding method in this case is to use base64. This is exactly what the attackers did”, — said Paul Kimayong of Juniper Threat Labs.
Moreover, before using base64, the binary payload was encrypted with the XORed to add another layer of obfuscation to the threat. Such data is difficult to decrypt without knowing the correct XOR key.
According to analysts, operators of such malware as Agent Tesla, W3Cryptolocker, Redline Stealer and LimeRAT use paste-sites to distribute encrypted payloads.
An attack that exploits paste sites usually starts with a phishing email containing an attachment, such as a document, archive, or executable file.
The user is tricked into opening such a malicious attachment, and the download of the malware for the next stages of the attack is done from paste.nrecom[.]Net. The researchers also write that they observed malware that similarly hid its configuration data on paste-sites.
“Administrators are encouraged to monitor traffic from paste.nrecom in case it turns out to be malicious. Unfortunately, however, it is not always possible to simply block such resources due to their legitimate uses”, — say the experts.
Let me remind you that recently the most popular paste-site in the world, Pastebin, introduced two new features that have caused a wave of criticism from information security specialists: Burn After Read (self-destruction) and Password Protected Pastes (password protection).
Then information security experts recommended blocking Pastebin and other similar sites on corporate networks, since everyone knows that hackers abuse them, which means that such resources should be treated accordingly.
Let me remind you that I also talked about malware with 1.5 million downloads, which secretly clicked on ads on behalf of users.
