To facilitate their nefarious activities, various new malware campaigns have been spotted using Pastebin-style services. Paste sites enable attackers to hide their malicious code in plain sight instead of delivering payload from a dedicated Command-and-Control (C&C) server.
To host the malicious payload malware campaigns relying on legitimate paste services like paste.nrecom.net according to researchers.
Operating since 2014, this service is based on an open-source Pastebin implementation called Strikked.
Any data – including binary can be encoded and represented as ASCII since the paste site only supports plaintext files and not binary. This behavior was exhibited by the malware that was noticed by various researchers.
Give that it’s only a text-only service, it is assumed that it cannot host an executable file (binary data) into it. However, binary data can be represented as a text file by simply encoding it. Base64 the most common encoding method is being used here, which is what the threat actors have chosen to do in this scenario.
The binary payload underwent an XOR encryption, to add a layer of obfuscation before being base64-encoded.
Obfuscation using XOR operations is a technique used to “scramble” the data to make it hard to decipher without knowing the correct “XOR key.”
Different Malware Campaigns
Agent Tesla, W3Cryptolocker Ransomware, Redline Stealer, and LimeRAT are some of the malware campaigns leveraging the paste service to distribute encrypted payload.
What is commonly seen in such campaigns, the attack usually starts with a phishing email that includes an attachment, such as a document, archive, or an executable.
An example of a phishing email sent to lure victims of Agent Tesla campaign into downloading the malicious file is shown below –
Researchers have noticed the malware-hosting their configuration data in the same service after a user is tricked into installing the malicious attachment (first stage), it downloads the next stages from paste.nrecom.net.
Using this tactic works in favour of the threat actor since these sites cannot be easily blocked by policy due to their legitimate use-cases.
Our in-house experts advise monitoring the traffic carefully in such a scenario such as base64-encoded binary data in transit.
To read more, please check eScan Blog