Analysts from Palo Alto Networks report that at least since October of this year, operators of the njRAT trojan have been using Pastebin as a control server to avoid the attention of cybersecurity researchers.
The company’s report states that Pastebin is being used by attackers to download and execute secondary payloads, eliminating the need for a traditional command and control server entirely.It is also believed that the use of Pastebin is intended to avoid detection by security products.
Hacker payloads vary in form and format. So, in some cases, the dumps are base64 encoded, in other cases their true nature is hidden by hexadecimal encoding and JSON; some dumps are compressed and others are plain text containing malicious URLs.
Among the samples examined by the experts, one payload turned out to be a .NET executable and abused Windows API functions for keylogging and data theft. Other samples, similar in function, required multiple levels of decoding to detect the final payload.
Experts believe that JSON data can in theory be malware configuration files. Also, the content from Pastebin was used by hackers to indicate downloads of various software, including, for example, ProxyScraper.
At the time of posting the material, the Pastebin C2 tunnel is still alive and being used by njRAT to deliver malicious payloads by downloading data hosted in Pastebin, allowing this and other malware families to take advantage of paste-based public services.
Let me remind you that we also talked that njRAT trojan installed malicious npm packages on infected machines.
