NjRAT operators have been using Pastebin as a management server

NjRAT operators using Pastebin
Written by Emma Davis

Analysts from Palo Alto Networks report that at least since October of this year, operators of the njRAT trojan have been using Pastebin as a control server to avoid the attention of cybersecurity researchers.

The company’s report states that Pastebin is being used by attackers to download and execute secondary payloads, eliminating the need for a traditional command and control server entirely.

Attackers are taking advantage of this service to post malicious data that can be accessed by malware through a shortened URL, thus allowing them to avoid the use of their own command and control (C2) infrastructure and therefore increasing the possibility of operating unnoticed.say Palo Alto Networks researchers.

It is also believed that the use of Pastebin is intended to avoid detection by security products.

Hacker payloads vary in form and format. So, in some cases, the dumps are base64 encoded, in other cases their true nature is hidden by hexadecimal encoding and JSON; some dumps are compressed and others are plain text containing malicious URLs.

NjRAT operators use Pastebin
Among the samples examined by the experts, one payload turned out to be a .NET executable and abused Windows API functions for keylogging and data theft. Other samples, similar in function, required multiple levels of decoding to detect the final payload.

Experts believe that JSON data can in theory be malware configuration files. Also, the content from Pastebin was used by hackers to indicate downloads of various software, including, for example, ProxyScraper.

Based on our analysis, the malware authors are interested in placing their second-level payloads on Pastebin, as well as encrypting or obfuscating this data to bypass security solutions. There is a possibility that malware authors will use such Pastebin services in the long term.the researchers conclude.

At the time of posting the material, the Pastebin C2 tunnel is still alive and being used by njRAT to deliver malicious payloads by downloading data hosted in Pastebin, allowing this and other malware families to take advantage of paste-based public services.

Let me remind you that we also talked that njRAT trojan installed malicious npm packages on infected machines.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply