Operators of the njRAT Remote Access Trojan (RAT) are leveraging Pastebin C2 tunnels to avoid scrutiny by cybersecurity researchers.
On Wednesday, Palo Alto Networks’ Unit 42 cybersecurity team said njRAT, also known as Bladabindi, is being used to download and execute secondary-stage payloads from Pastebin, scrapping the need to establish a traditional command-and-control (C2) server altogether.
Since October, at the least, operators have used Pastebin, a text storage and release platform, as a host for payloads which differ in form and shape. In some cases, dumps are base64 encoded, in others, hexadecimal and JSON data masks the true nature of a dump, some are compressed blobs, and others are simply plaintext instructions containing embedded, malicious URLs.
The team says that njRAT variants will call upon shortened URLs linking to Pastebin in an attempt to “evade detection by security products and increase the possibility of operating unnoticed.”
Developed in .NET, njRAT is a widely-used Trojan that is able to hijack the functions of a compromised machine remotely, including taking screenshots, exfiltrating data, keylogging, and killing processes such as antivirus programs. In addition, the RAT is able to execute secondary, malicious payloads and connect infected PCs to botnets.
The “Pastebin C2 tunnel” now in use, as described by the researchers, creates a pathway between njRAT infections and new payloads. With the Trojan acting as a downloader, it will grab encoded data dumped on Pastebin, decode, and deploy.
In samples viewed by the team, one payload was decoded as a .NET executable that abuses Windows API functions for keylogging and data theft. Other samples, similar in function, required multiple layers of decoding to reveal the final payload.
JSON-formatted data, disguised on Pastebin, is believed to potentially act as configuration files for the malware. Pastebin dumps have also been used to point toward software downloads, including links to ProxyScraper.
Palo Alto says the Pastebin-based command architecture is still active and utilized by the RAT to deliver secondary payloads.
“Based on our research, malware authors are interested in hosting their second-stage payloads in Pastebin and encrypting or obfuscating such data as a measure to evade security solutions,” the team says. “There is a possibility that malware authors will use services like Pastebin for the long term.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0