Malvar downloads peyloads from paste sites

Malvar downloads peyloads from paste sites

Juniper experts identified numerous malicious campaigns that are used to deliver payload paste sites (instead of conventional C&C servers). Thus, hackers hide their malicious code in plain sight and, among other things, save on infrastructure.

The researchers write that the attackers use legitimate paste-services like paste.nrecom[.]net to host their pailoads. For example, this service is based on the Onsource implementation of Pastebin, which is called Strikked, and has been working since 2014.

Although the site only supports plain text files, not binary files, as we know, any data, including binary data, can be represented as ASCII. This is exactly what the operators of the malvari found by the specialists did.

“Since this service only works with text, you’d think you couldn’t place an executable file (binary data) there,” said Paul Kimayong of Juniper Threat Labs. – However, binary data can be represented as a text file just by encoding it. The usual encoding method in this case involves using base64. This is exactly what the intruders did.


Moreover, before using base64, the binary palyload was subjected to XOR encryption to add another layer of obfuscation to the threat. Such data is difficult to decrypt without knowing the correct XOR key.


According to analysts, for the distribution of encrypted paleloads paste-sites use operators such malvari, as Agent Tesla, W3Cryptolocker, Redline Stealer and LimeRAT.

An attack that exploits a paste site usually begins with a phishing letter containing an attachment, such as a document, archive, or executable file. The user is tricked into opening such a malicious attachment, and the malware is downloaded from paste.nrecom[.]net for the next stages of the attack. The researchers also write that they observed a malware that similarly hid its configuration data on paste sites.

The experts recommend administrators to monitor traffic from paste.nrecom, in case it turns out to be malicious. The researchers note with regret that it is not always possible to simply block such resources, because of their legal use.

Let me remind you that recently the most popular paste site in the world, Pastebin, introduced two new features, which caused a wave of criticism from IS specialists: Burn After Read and Password Protected Pastes. At that time, IS experts recommended blocking Pastebin and other similar sites in corporate networks, as everyone knows that they are abused by attackers, and therefore, such resources should be treated accordingly.


Taken from this site

WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

Do NOT follow this link or you will be banned from the site!
Would love your thoughts, please comment.x

Spelling error report

The following text will be sent to our editors: