The researchers write that the attackers use legitimate paste-services like paste.nrecom[.]net to host their pailoads. For example, this service is based on the Onsource implementation of Pastebin, which is called Strikked, and has been working since 2014.
Although the site only supports plain text files, not binary files, as we know, any data, including binary data, can be represented as ASCII. This is exactly what the operators of the malvari found by the specialists did.
“Since this service only works with text, you’d think you couldn’t place an executable file (binary data) there,” said Paul Kimayong of Juniper Threat Labs. – However, binary data can be represented as a text file just by encoding it. The usual encoding method in this case involves using base64. This is exactly what the intruders did.
Moreover, before using base64, the binary palyload was subjected to XOR encryption to add another layer of obfuscation to the threat. Such data is difficult to decrypt without knowing the correct XOR key.
According to analysts, for the distribution of encrypted paleloads paste-sites use operators such malvari, as Agent Tesla, W3Cryptolocker, Redline Stealer and LimeRAT.
An attack that exploits a paste site usually begins with a phishing letter containing an attachment, such as a document, archive, or executable file. The user is tricked into opening such a malicious attachment, and the malware is downloaded from paste.nrecom[.]net for the next stages of the attack. The researchers also write that they observed a malware that similarly hid its configuration data on paste sites.
The experts recommend administrators to monitor traffic from paste.nrecom, in case it turns out to be malicious. The researchers note with regret that it is not always possible to simply block such resources, because of their legal use.
Let me remind you that recently the most popular paste site in the world, Pastebin,