Pierluigi Paganini
January 08, 2015
Malware authors have demonstrated a great inventiveness using any kind of platform and technique to control their malicious code. Security experts have detected botnet controlled via Gmail drafts, Evernote or any other platform that could allow attackers to hide malicious traffic.
Last discovery is the use of the Pastebin platform, the popular copy and paste website ‘Pastebin‘, to control their malware and spread malicious backdoor code. At the moment, it is still unclear how widespread this malicious backdoor is, but the researchers suspect that it could be significant.
A blog post published by Sucuri firm details how hackers exploit a vulnerability in older versions of the popular RevSlider WordPress plugin to spread a new backdoor variant that relies on the Pastebin.com service for hosting malicious files.
“It’s more or less a typical backdoor. It downloads malicious code from a remote server and saves it in a file on a compromised site, making it available for execution. What makes this backdoor interesting is the choice of the remote server. It’s not being hosted on a hackers’ own site, not even a compromised site — now it’s Pastebin.com — the most popular web application for sharing code snippets.” wrote Denis Sinegubko, senior malware researcher at Sucuri.
The attackers scan websites searching for the vulnerable RevSlider plugin, once discovered they exploit a second vulnerability in Revslider in order to upload a malicious backdoor to the website.
“Technically, the criminals used Pastebin for what it was built for – to share code snippets,” Sinegubko wrote in a blog post. “The only catch is that the code is malicious, and it is used in illegal activity (hacking) directly off of the Pastebin website.”
Experts at Sucuri discovered a stub of code used to inject the content of a Base64-encoded $temp variable into a WordPress core wp-links-opml.php file. Researchers discovered that a piece of code is being downloaded from Pastebin.com, saved to a file and immediately executed.
The code relies on the parameter, wp_nonce_once, that hides the Pastebin URL of the page hosting the malicious code. The backdoor is practically able to download and execute any code snippet hosted on the Pastebin website just by passing a request through that wp-links-opml.php file.
“The use of the wp_nonce_once parameter hides the URL of malicious pastes (which makes it difficult to block) and at the same time adds flexibility to the backdoor — now it can download and execute any Pastebin.com snippet — even those that don’t exist at the time of injection — you just need to pass their ID’s in the request to wp-links-opml.php.”
Denis Sinegubko also refers the availability online for the an encoder, dubbed PHP Encryptor by Yogyakarta Black Hat or by FathurFreakz, which was designed by Indonesian hackers to work with Pastebin.com. The encoder is able to generate a paste of any PHP code directly on Pastebin.com and then specify the URL of the code in the encryptor, the result is a an obfuscated code deployed on the popular website.any PHP code directly on Pastebin.com and then specify the URL of the code in the encryptor, the result is a an obfuscated code deployed on the popular website.
The discovery made by the experts at Sucuri demonstrates that hackers are opting for a massive use of Pastebin in live attacks and it is an alarm bell for website administrators that need to maintain updated their own CMS to prevent the exploitation of flaws in the plugins opening the doors to cybercriminals
“This time we see relatively massive use of Pastebin in live attacks, which is quite new to us. This also suggests that we, security researchers, should be more careful when sharing malicious code we find in public pastes – it is easy for hackers to reuse them directly from Pastebin.com. It would be a good idea, before sharing, to make some obvious modification to the code that would prevent its execution when downloaded in a raw format.” states the post
A few weeks ago, Sucuri discovered a new type of strain of malware, dubbed SoakSoak, that targeted WordPress platforms compromising more than 100,000 websites worldwide and still counting. In response, Google blacklisted over 11,000 domains because they were used to serve malware that has been brought by SoakSoak.ru, for this reason the malicious campaign has been dubbed the ‘SoakSoak Malware’ epidemic.
(Security Affairs – Pastebin, malware)
