Threat Actors Use Pastebin, Other Similar Services, to Store njRAT C2 Information

Friday, December 18th, 2020 | , ,

Unit 42 researchers have been monitoring malware actors using njRAT, also known as Bladabindi, a notorious Remote Access Trojan (RAT), to download and deliver malicious payloads from Pastebin, a popular online website used to store and share data anonymously. Installations of njRAT were observed during the month of October of this year, as utilizing a common ‘shipment tracking’ theme, mimicking popular courier and postal services, to deliver a ZIP-compresses archive attachment containing an encoded Visual Basic script (VBE) payload.

njRAT uses a downloader to reach out to the attacker supplied Pastebin and grabs data from the anonymous data post. The payload data has different data encodings such as JSON, base64, hexadecimal, compressed blobs, and plain-text. Once the data is encoded, different types of malicious executables are created and run on the compromised host or loaded directly into memory.

Like most other trojans, the goal of njRAT is to collect sensitive data from the compromised hosts and victims. Some of the capabilities of njRAT include:

  • Keylogging
  • Harvesting of browser passwords
  • Screen and video capture
  • File manipulations
  • Installing and uninstalling software

njRAT is a popular RAT used by a variety of threat actors, and as such, its unclear which threat group is behind this evolution of njRAT usage. Attacks have ranged from the targeting of government organizations, attacks that have targeted other hacker groups with the intent to steal their tools (in one attack, Russian threat actors, Turla, hacked Iranian group, OilRig, and obtained their tools.)

Data from research supports the idea that malware authors are interested in hosting their second-stage payloads in Pastebin and encrypting or obfuscating such data as a measure to evade security solutions. There is a possibility that malware authors will use services like Pastebin for the long term.

Indicators of Compromise (IOC):

  • Samples
    • 03c7015046ef4e39a209384f2632812fa561bfacffc8b195542930e91fa6dceb
    • 205341c9ad85f4fc99b1e2d0a6a5ba5c513ad33e7009cdf5d2864a422d063aba
    • 2270b21b756bf5b5b1b5002e844d0abe10179c7178f70cd3f7de02473401443a
    • 54cf2d7b27faecfe7f44fb67cb608ce5e33a7c00339d13bb35fdb071063d7654
    • 54d7ee587332bfb04b5bc00ca1e8b6c245bb70a52f34835f9151b9978920b6d7
    • 678a25710addeefd8d42903ceddd1c82c70b75c37a80cf2661dab7ced6732cd3
    • 67cbb963597abb591b8dc527e851fc8823ff22d367f4b580eb95dfad7e399e66
    • 6817906a5eff7b02846e4e6a492ee57c2596d3f19708d8483bef7126faa7267f
    • 69366be315acc001c4b9b10ffc67dad148e73ca46e5ec23509f9bb3eedcd4c08
    • 94c2196749457b23f82395277a47d4380217dd821d0a6592fc27e1e375a3af70
    • 94e648c0166ee2a63270772840f721ba52a73296159e6b72a1428377f6f329ad
    • 96640d0c05dd83bb10bd7224004056e5527f6fad4429beaf4afa7bad9001efb7
    • 97227c346830b4df87c92fce616bdec2d6dcbc3e6de3f1c88734fe82e2459b88
    • 97b943a45b4716fcea4c73dce4cefe6492a6a51e83503347adcd6c6e02261b84
    • 9ba0126bd6d0c4b41f5740d3099e1b99fed45b003b78c500430574d57ad1ad39
    • bd2387161cc077bfca0e0aae5d63820d1791f528feef65de575999454762d617
  • Second Stage
    • 9982c4d431425569a69a022a7a7185e8c47783a792256f4c5420f9e023dee12a
    • d347080fbc66e680e2187944efbca11ff10dc5bfcc76c815275c4598bb410ef6
    • 30c071a9e0207f0ca98105c40ac60ec50104894f3e4ed0fb1e7b901f56d14ad4
    • 231d52100365c14be32e2e81306b2bb16c169145a8dbcdc8f921c23d7733cef0
    • fd5c731bb53c4e94622e016d83e4c0d605baf8e34c7960f72ff2953c65f0084c
    • b3730931aaa526d0189aa267aa0d134eb89e538d79737f332223d3fc697c4f5a
    • 75b833695a12e16894a1e1650ad7ed51e6f8599ceaf35bbd8e9461d3454ab711
    • 6d0b09fe963499999af2c16e90b6f8c5ac51138509cc7f3edb4b35ff8bef1f12
    • 2af1bb05a5fde5500ea737c08f1b675a306150a26610d2ae3279f8157a3cb4df
    • db8ca46451a6c32e3b7901b50837500768bb913cafb5e12e2111f8b264672219
    • 5ebb875556caefb78d5050e243f0efb9c2c8e759c9b32a426358de0c391e8185
    • bdc33dbdfd92207ad88b6feb3066bb662a6ca5cf02710870cae38320bb3a35bf
    • 08f378fe42aec892e6eb163edc3374b0e2eb677bd01e398addd1b1fca4cd23c4
  • URLs
    • Active
      • hxxp://pastebin[.]com/raw/JKqwsAs6
      • hxxp://pastebin[.]com/raw/pc9QbQCK
      • hxxp://pastebin[.]com/raw/Rpx7tm9N
      • hxxp://pastebin[.]com/raw/hsGSLP89
      • hxxp://pastebin[.]com/raw/HNkipzLK
      • hxxp://pastebin[.]com/raw/Z3mcNqjz
      • hxxp://pastebin[.]com/raw/h5yBCwpY
      • hxxp://pastebin[.]com/raw/zHLUaPvW
      • hxxp://pastebin[.]com/raw/V6UWZm2n
      • hxxp://pastebin[.]com/raw/rTjmne99
      • hxxp://pastebin[.]com/raw/JMkdgr4h
      • hxxp://pastebin[.]com/raw/yPTNdYRN
      • hxxp://pastebin[.]com/raw/q56JPtdY
      • hxxp://pastebin[.]com/raw/a3U5MMj2
      • hxxp://pastebin[.]com/raw/E4MB4MFj
      • hxxp://pastebin[.]com/raw/770qPDMt
      • hxxp://pastebin[.]com/raw/YtuXz7YX
      • hxxp://pastebin[.]com/raw/LKRwaias
      • hxxp://pastebin[.]com/raw/ZFchNrpH
      • hxxp://pastebin[.]com/raw/8DEsZn2y
    • Inactive
      • hxxp://pastebin[.]com/raw/TWQYHv9Y
      • hxxp://pastebin[.]com/raw/0HpgqDt2
      • hxxp://pastebin[.]com/raw/1t8LPE7R
      • hxxp://pastebin[.]com/raw/3vsJLpWu
      • hxxp://pastebin[.]com/raw/6MFWAdWS
      • hxxp://pastebin[.]com/raw/AqndxJKK
      • hxxp://pastebin[.]com/raw/SdcQ9yPM
      • hxxp://pastebin[.]com/raw/XMKKNkb0
      • hxxp://pastebin[.]com/raw/ZM6QyknC
      • hxxp://pastebin[.]com/raw/pMDgUv62
      • hxxp://pastebin[.]com/raw/yEw5XbvF

Sources:

Share this:

Previous
View All
Next

Not Sure Where to Start?

What is Cybersecurity ?
How Do Cyber Attacks Happen ?
How Does Atlas Work ?
Who is Atlas ?