RSA Admin

Pastebin Used as Secondary Downloader for Malware Delivery

Blog Post created by RSA Admin Employee on Apr 30, 2013

Pastebin is a popular copy and paste site- used by developers for code sharing, and by data exfiltrators for offsite storage of sensitive information, and even by hacker groups to publish their various manifestos.  For several weeks I've had an Informer report running against our sandbox looking for any access by known malware into Pastebin.  I got several hits over the weekend.  And while pastebin is supposed to only house plain text copy-pastes, there is a way to encode an executable in Base64 and post it onto the site as text.  As you will see below, some malware downloaded two password stealing tools via plain text, decoded it, and installed it on our sandbox machines.

 

I was first alerted to the activity via an Informer Report.  If for some reason your enterprise is not blocking access to Pastebin, you might find this report useful in your Security Analytics Deployment.  It is attached below.  This report also looks for user-agent strings, and "autoit" is highlighted.  In most of the events in this report, a UA string is noticeably absent.

 

58053

So working from the top of the report down, there were 68 sessions going to this site:

http://pastebin.com/raw.php?i=c6axjjzj

And the results are base64 encoded.  It looks like:

ZHJpemVyLm5vLWlwLm9yZw==

 

There is a handy base64 decoder online here.  Pasting this code into that site reveals a domain name, likely used for secondary malware delivery:

drizer.no-ip.org

 

So you can see that decoding Base64 results can be pretty easy.  Now onto the executables in the second result in the report above.  The requested link was:

http://pastebin.com/raw.php?i=Xr6hkp4Z

 

And the base64 output is simply too long to go here.  I decoded it and downloaded the binary file, renamed it to an EXE, and the application file took on an icon that looked like this:

58054

Now using CEFF Explorer I could look into some of the details of this application:

58055

 

So this software is intended to swipe the stored passwords in browsers.  Another file link shown above also will reveal Base64 encoded tool to retrieve passwords from your email file store.

 

Bottom line is block access to pastebin, as there is no valid Enterprise use of the site that wouldn't introduce significant risk.  If you can't block it, keep an eye on what is being downloaded and requested, and if its base64 encoded, now you know how to decode it and investigate it.

 

Happy Hunting!

-Fielder

Attachments

Outcomes