This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Pastebin Used as Secondary Downloader for Malware Delivery

RSAAdmin
Beginner
Beginner
‎2013-04-30 01:01 PM

Pastebin is a popular copy and paste site- used by developers for code sharing, and by data exfiltrators for offsite storage of sensitive information, and even by hacker groups to publish their various manifestos.  For several weeks I've had an Informer report running against our sandbox looking for any access by known malware into Pastebin.  I got several hits over the weekend.  And while pastebin is supposed to only house plain text copy-pastes, there is a way to encode an executable in Base64 and post it onto the site as text.  As you will see below, some malware downloaded two password stealing tools via plain text, decoded it, and installed it on our sandbox machines.

 

I was first alerted to the activity via an Informer Report.  If for some reason your enterprise is not blocking access to Pastebin, you might find this report useful in your Security Analytics Deployment.  It is attached below.  This report also looks for user-agent strings, and "autoit" is highlighted.  In most of the events in this report, a UA string is noticeably absent.

 

pastebinreport.JPG.jpg

So working from the top of the report down, there were 68 sessions going to this site:

http://pastebin.com/raw.php?i=c6axjjzj

And the results are base64 encoded.  It looks like:

ZHJpemVyLm5vLWlwLm9yZw==

 

There is a handy base64 decoder online here.  Pasting this code into that site reveals a domain name, likely used for secondary malware delivery:

drizer.no-ip.org

 

So you can see that decoding Base64 results can be pretty easy.  Now onto the executables in the second result in the report above.  The requested link was:

http://pastebin.com/raw.php?i=Xr6hkp4Z

 

And the base64 output is simply too long to go here.  I decoded it and downloaded the binary file, renamed it to an EXE, and the application file took on an icon that looked like this:

decodedbase64app.JPG.jpg

Now using CEFF Explorer I could look into some of the details of this application:

ceff-view.JPG.jpg

 

So this software is intended to swipe the stored passwords in browsers.  Another file link shown above also will reveal Base64 encoded tool to retrieve passwords from your email file store.

 

Bottom line is block access to pastebin, as there is no valid Enterprise use of the site that wouldn't introduce significant risk.  If you can't block it, keep an eye on what is being downloaded and requested, and if its base64 encoded, now you know how to decode it and investigate it.

 

Happy Hunting!

-Fielder

pastebin-access.zip
pastebin-access.zip
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.