njRAT RAT operators leverage Pastebin C2 tunnels to avoid detection

Threat actors behind the njRAT Remote Access Trojan (RAT) are leveraging active Pastebin Command and Control Tunnels to avoid detection.

Researchers from Palo Alto Networks’ Unit 42 reported that operators behind the njRAT Remote Access Trojan (RAT), aka Bladabindi, are leveraging Pastebin Command and Control tunnels to avoid detection. 

“In observations collected since October 2020, Unit 42 researchers have found that malware authors have been leveraging njRAT (also known as Bladabindi), a Remote Access Trojan, to download and deliver second-stage payloads from Pastebin, a popular website that is well-known to be used to store data anonymously.” reads the post published by Palo Alto Networks. “Attackers are taking advantage of this service to post malicious data that can be accessed by malware through a shortened URL, thus allowing them to avoid the use of their own command and control (C2) infrastructure and therefore increasing the possibility of operating unnoticed.”

njRAT is a popular .NET RAT that allows operators to take over the infected machine, it supports multiple functionalities including taking screenshots, exfiltrating data, keylogging, killing processes such as antivirus programs, and downloading second-stage payloads. 

Al least since October, operators are hosting their payloads on Pastebin, the downloader uses traditional base64 encoding.

The malware is being used to download and execute secondary-stage payloads from Pastebin.

One of the payloads analyzed by the experts was decoded as a .NET executable that abuses Windows API functions for info stealing.

“Once decoded, the final payload is revealed as a 32-bit .NET executable, which makes use of several Windows API functions including GetKeyboardState(), GetAsynckeyState(), MapVirtualKey(), etc. These are commonly used by keyloggers and Trojans, as well as by functions used to potentially exfiltrate user data.” continues the analysis. “It is also worth noting that the downloader and second-stage executables are similar in their functionality and code.”

Other samples, similar in function, required multiple layers of decoding to reveal the final payload. 

Experts also analyzed JSON-formatted data stored on Pastebin that were potentially used as configuration files for the malware.

Palo Alto Networks also analyzed Proxy Scraper dropped by HTML response. The malware parses the HTML page in order to get the link to download other payloads.

“Based on our research, malware authors are interested in hosting their second-stage payloads in Pastebin and encrypting or obfuscating such data as a measure to evade security solutions,” Palo Alto Network concludes. “There is a possibility that malware authors will use services like Pastebin for the long term.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, njRAT)

[adrotate banner=”5″]

[adrotate banner=”13″]