Sucuri firm discovered Backdoors relying on the Pastebin Service

Pierluigi Paganini January 08, 2015

The popular copy and paste website Pastebin has been leveraged by hackers to serve a backdoor to millions of users by exploiting flaws in a WordPress plugin.

Malware authors have demonstrated a great inventiveness using any kind of platform and technique to control their malicious code. Security experts have detected botnet controlled via Gmail drafts, Evernote or any other platform that could allow attackers to hide malicious traffic.

Last discovery is the use of the Pastebin platform, the popular copy and paste website ‘Pastebin‘, to control their malware and spread malicious backdoor code. At the moment, it is still unclear how widespread this malicious backdoor is, but the researchers suspect that it could be significant.

A blog post published by Sucuri firm details how hackers exploit a vulnerability in older versions of the popular RevSlider WordPress plugin to spread a new backdoor variant that relies on the service for hosting malicious files.

“It’s more or less a typical backdoor. It downloads malicious code from a remote server and saves it in a file on a compromised site, making it available for execution. What makes this backdoor interesting is the choice of the remote server. It’s not being hosted on a hackers’ own site, not even a compromised site — now it’s — the most popular web application for sharing code snippets.” wrote Denis Sinegubko, senior malware researcher at Sucuri.

The attackers scan websites searching for the vulnerable RevSlider plugin, once discovered they exploit a second vulnerability in Revslider in order to upload a malicious backdoor to the website.

Pastebin backdoor code

“Technically, the criminals used Pastebin for what it was built for – to share code snippets,” Sinegubko wrote in a blog post. “The only catch is that the code is malicious, and it is used in illegal activity (hacking) directly off of the Pastebin website.”

Experts at Sucuri discovered a stub of code used to inject the content of a Base64-encoded $temp variable into a WordPress core wp-links-opml.php file. Researchers discovered that a piece of code is being downloaded from, saved to a file and immediately executed.

The code relies on the parameter, wp_nonce_once, that  hides the Pastebin URL of the page hosting the malicious code. The backdoor is practically able to download and execute any code snippet hosted on the Pastebin website just by passing a request through that wp-links-opml.php file.

“The use of the wp_nonce_once parameter hides the URL of malicious pastes (which makes it difficult to block) and at the same time adds flexibility to the backdoor — now it can download and execute any snippet — even those that don’t exist at the time of injection — you just need to pass their ID’s in the request to wp-links-opml.php.”

Decoded backdoor that uses pastebin

Denis Sinegubko also refers the availability online for the an encoder, dubbed PHP Encryptor by Yogyakarta Black Hat or by FathurFreakz, which was designed by Indonesian hackers to work with The encoder is able to generate a paste of any PHP code directly on and then specify the URL of the code in the encryptor, the result is a an obfuscated code deployed on the popular website.any PHP code directly on and then specify the URL of the code in the encryptor, the result is a an obfuscated code deployed on the popular website.

The discovery made by the experts at Sucuri demonstrates that hackers are opting for a massive use of Pastebin in live attacks and it is an alarm bell for website administrators that need to maintain updated their own CMS to prevent the exploitation of flaws in the plugins opening the doors to cybercriminals

“This time we see relatively massive use of Pastebin in live attacks, which is quite new to us. This also suggests that we, security researchers, should be more careful when sharing malicious code we find in public pastes – it is easy for hackers to reuse them directly from It would be a good idea, before sharing, to make some obvious modification to the code that would prevent its execution when downloaded in a raw format.” states the post

A few weeks ago, Sucuri discovered a new type of strain of malware, dubbed SoakSoak, that targeted WordPress platforms compromising more than 100,000 websites worldwide and still counting. In response, Google blacklisted over 11,000 domains because they were used to serve malware that has been brought by, for this reason the malicious campaign has been dubbed the ‘SoakSoak Malware’ epidemic.

Pierluigi Paganini

(Security Affairs –  Pastebin, malware)

you might also like

leave a comment