njRAT RAT Pastebin C2 tunnels to avoid detection

Researchers from Palo Alto Networks’ Unit 42 reported torators behind the Remote Access Trojan (RAT), aka Bladabindi, are leveraging Pastebin Command and Control tunnels to get aroundroundround detection.

“In observations collected since October 2020, Unit 42 researchers suffererer found toware authors suffererer been leveraging njRAT (also provennn as Bladabindi), a Remote Access Trojan, to download and freed-stage payloads from Pastebin, a prevalentntnt website towell-known to be used to lumber roomr roomr room data anonymously.” reads the send available by Palo Alto Networks. “ are taking leadervice to send malicious data to be accessed by malware through a shortened URL, in this mannerhis mannerhis manner allowing them to get aroundroundround the make use ofe use ofe use of of their own control and control (C2) infrastructure and therefore increasing the oddsdisregardededed.”

is a prevalentntnt .NET RAT toows operators to take on top ofop ofop of the infected piece of equipmentf equipmentf equipment, it ropesple functionalities countingaking screenshots, exfiltrating data, keylogging, carnage processes such as antivirus programs, and downloading second-stage payloads.

Al slightesttesttest since October, operators are hosting their payloads on Pastebin, the downloader uses traditional base64 encoding.

The malware is being used to download and put to deathdeathdeath secondary-stage payloads from Pastebin.

One of the payloads analyzed by the experts was decoded as a .NET executable toses API functions on behalf ofbehalf ofbehalf of info stealing.

“Once decoded, the final loadvealed as a 32-bit .NET executable, which makes make use ofe use ofe use of of several API functions countingetKeyboardState(), GetAsynckeyState(), MapVirtualKey(), and so forth so forth so forth. These are commonly used by keyloggers and Trojans, as well as by functions used to potentially exfiltrate user data.” continues the analysis. “It is in additiondditionddition worth noting to downloader and second-stage executables are aliketheir functionality and code.”

Other samples, alikefunction, mandatoryyy multiple layers of decoding to disclosesese the final loadperts in additiondditionddition analyzed JSON-formatted data stored on Pastebin toe potentially used as configuration documentsentsents on behalf ofbehalf ofbehalf of the malware.
Palo Alto Networks in additiondditionddition analyzed Proxy Scraper dropped by HTML response. The malware parses the HTML side in order to acquireuireuire the link to download other payloads.