• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber Crime
  • Malware
  • Sucuri firm discovered Backdoors relying on the Pastebin Service

Sucuri firm discovered Backdoors relying on the Pastebin Service

Pierluigi Paganini January 08, 2015

The popular copy and paste website Pastebin has been leveraged by hackers to serve a backdoor to millions of users by exploiting flaws in a WordPress plugin.

Malware authors have demonstrated a great inventiveness using any kind of platform and technique to control their malicious code. Security experts have detected botnet controlled via Gmail drafts, Evernote or any other platform that could allow attackers to hide malicious traffic.

Last discovery is the use of the Pastebin platform, the popular copy and paste website ‘Pastebin‘, to control their malware and spread malicious backdoor code. At the moment, it is still unclear how widespread this malicious backdoor is, but the researchers suspect that it could be significant.

A blog post published by Sucuri firm details how hackers exploit a vulnerability in older versions of the popular RevSlider WordPress plugin to spread a new backdoor variant that relies on the Pastebin.com service for hosting malicious files.

“It’s more or less a typical backdoor. It downloads malicious code from a remote server and saves it in a file on a compromised site, making it available for execution. What makes this backdoor interesting is the choice of the remote server. It’s not being hosted on a hackers’ own site, not even a compromised site — now it’s Pastebin.com — the most popular web application for sharing code snippets.” wrote Denis Sinegubko, senior malware researcher at Sucuri.

The attackers scan websites searching for the vulnerable RevSlider plugin, once discovered they exploit a second vulnerability in Revslider in order to upload a malicious backdoor to the website.

Pastebin backdoor code

“Technically, the criminals used Pastebin for what it was built for – to share code snippets,” Sinegubko wrote in a blog post. “The only catch is that the code is malicious, and it is used in illegal activity (hacking) directly off of the Pastebin website.”

Experts at Sucuri discovered a stub of code used to inject the content of a Base64-encoded $temp variable into a WordPress core wp-links-opml.php file. Researchers discovered that a piece of code is being downloaded from Pastebin.com, saved to a file and immediately executed.

The code relies on the parameter, wp_nonce_once, that  hides the Pastebin URL of the page hosting the malicious code. The backdoor is practically able to download and execute any code snippet hosted on the Pastebin website just by passing a request through that wp-links-opml.php file.

“The use of the wp_nonce_once parameter hides the URL of malicious pastes (which makes it difficult to block) and at the same time adds flexibility to the backdoor — now it can download and execute any Pastebin.com snippet — even those that don’t exist at the time of injection — you just need to pass their ID’s in the request to wp-links-opml.php.”

Decoded backdoor that uses pastebin

Denis Sinegubko also refers the availability online for the an encoder, dubbed PHP Encryptor by Yogyakarta Black Hat or by FathurFreakz, which was designed by Indonesian hackers to work with Pastebin.com. The encoder is able to generate a paste of any PHP code directly on Pastebin.com and then specify the URL of the code in the encryptor, the result is a an obfuscated code deployed on the popular website.any PHP code directly on Pastebin.com and then specify the URL of the code in the encryptor, the result is a an obfuscated code deployed on the popular website.

The discovery made by the experts at Sucuri demonstrates that hackers are opting for a massive use of Pastebin in live attacks and it is an alarm bell for website administrators that need to maintain updated their own CMS to prevent the exploitation of flaws in the plugins opening the doors to cybercriminals

“This time we see relatively massive use of Pastebin in live attacks, which is quite new to us. This also suggests that we, security researchers, should be more careful when sharing malicious code we find in public pastes – it is easy for hackers to reuse them directly from Pastebin.com. It would be a good idea, before sharing, to make some obvious modification to the code that would prevent its execution when downloaded in a raw format.” states the post

A few weeks ago, Sucuri discovered a new type of strain of malware, dubbed SoakSoak, that targeted WordPress platforms compromising more than 100,000 websites worldwide and still counting. In response, Google blacklisted over 11,000 domains because they were used to serve malware that has been brought by SoakSoak.ru, for this reason the malicious campaign has been dubbed the ‘SoakSoak Malware’ epidemic.

Pierluigi Paganini

(Security Affairs –  Pastebin, malware)


facebook linkedin twitter

backdoor CMS Cybercrime Hacking malware Pastebin Sucuri Wordpress WordPress plugin

you might also like

Pierluigi Paganini July 26, 2025
Law enforcement operations seized BlackSuit ransomware gang’s darknet sites
Read more
Pierluigi Paganini July 26, 2025
Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

    Cyber Crime / July 26, 2025

    Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

    Intelligence / July 26, 2025

    Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

    Intelligence / July 25, 2025

    Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

    Security / July 25, 2025

    Koske, a new AI-Generated Linux malware appears in the threat landscape

    Malware / July 25, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT