# New pastebin-like service used in multiple malware campaigns **[blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns](https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns)** October 5, 2020 Juniper Threat Labs identified several malware campaigns that rely on a pastebin-like service for its infection chain. The domain in question is paste.nrecom.net. The attacks usually start as a phishing email and, when a user is tricked into executing the malware, it downloads the succeeding stage of the malware from paste.nrecom.net and loads it into the memory without writing to disk. Using a legitimate web-service for the malware infrastructure is not new, as we have seen APT group [FIN6 using pastebin to host parts of the](https://attack.mitre.org/techniques/T1102/) infection chain and [Rocke using it for command and control. Although using legitimate web services is not](https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang) novel, this is the first time that we have seen threat actors use paste.nrecom.net. Among the malware we have identified are AgentTesla, LimeRAT, Ransomware and Redline Stealer. ## What is paste.nrecom.net? ----- Paste.nrecom has been in service since May 2014. If you are not familiar with pastebin, it is a service where you can post your code or text data with the intent of sharing it with others. Paste.nrecom does the same thing and it also offers an API that allows scripting. This is advantageous to threat actors as they can easily insert and update data programmatically. This service is powered by [Stikked, which is an open-source PHP based](https://github.com/claudehohl/Stikked) pastebin. ## How do threat actors use it for malicious purposes? Because it is a text-only service, one would think that it cannot host an executable file (binary data) into it. However, binary data can be represented as a text file by simply encoding it. The common encoding method is using [base64. That is exactly what the threat actors did in this case.](https://en.wikipedia.org/wiki/Base64) malicious paste encoded in base64 To add another layer of obfuscation, they encrypt the binary data with a XOR key. The following file, for example, is encrypted with XOR key, 0x02. ----- the file is still encrypted with XOR algorithm. After base64 decoding, After all the necessary decoding and decryption, you will then see the executable file, as shown above. From September 21, 2020, we have seen several malware families taking advantage of this service and quickly ramped up. ## Malware Campaigns The attack usually starts with a phishing email that includes an attachment, such as a document, archive or an executable. When a user is tricked into installing the malicious attachment (first stage), it downloads the next stages from paste.nrecom.net. We have also seen malware hosting their configuration data in the same service. ## Agent Tesla ----- Agent Tesla is a spyware that is capable of stealing personal data from web browsers, mail clients and FTP servers. It can also collect screenshots, videos and capture clipboard data. Recent versions of this malware are also capable of stealing personal data from VPN clients. It is being sold on the underground markets for as low as $15 and could go up to $70 depending on the additional features. [Agent Tesla is among the most active malware using this pastebin-like service. Campaigns usually start with a](https://attack.mitre.org/software/S0331/) phishing email with a malicious attachment. Based on the samples we found, these campaigns target multiple industries related to shipping, supply chain and banks. In some cases, the attachments are archives, such as .iso, .rar or .uue like below: Attachment Sha256: 9c38ab9d806417e89e3c035740421977f92a15c12f9fa776ac9665a1879e5f67 Infection Chain for 9c38ab9d806417e89e3c035740421977f92a15c12f9fa776ac9665a1879e5f67 As you can see from the chain, there are two requests to paste.nrecom because it divides the Agent Tesla payload into two. The first request is the first half of the file and the second request makes the second half. This technique makes it harder for security solutions to analyze the payload. ----- Another sample phishing email has the attachment with Sha256: 199a98adf78de6725b49ec1202ce5713eb97b00ae66669a6d42f8e4805a0fab9 Below are email attachments and files inside some email attachments that we have found to install Agent Tesla using paste.nrecom. File Name Sha256 Emirate bank TT copy 202009-20 at 07.30.55.uue f8c02c3f6d22978b3c478d0fb7ad4845609b8ad4a38e0ed2a75721156a6a8e44 Inv C-22464 PO 3871.exe 27f8e739b62c685c4115f49ae146bb75271d0b8fad021436939735bf7492186b PO#150367285 SECONDO VERGANI SPA Ref#BK043383.exe 3101003430beae11fe082a07878ac2f643a64e3abd82b7b2a787a0e1fde27307 Payment Notification.uue b7cf6fb7557f435bab1b815a38b1771aea9d118192f6d184111754615e8881af bank payment copy.exe 136991b95c503e13d7ed77305a305f6f568c9d93273584d19a33014202a6ebbb Payment docs63878288882788.docx.rar Attachment JOIN LEADERS PO332,pdf.exe APROBACION DE TRANSFERENCIA INUSUAL REALIZADA EXITOSAMENTE.tar 44221603cb9e19a630e35bd12a9c8bd97a9d2743a6fc5528e81db0718fc3e1b3 167139073c586fd0d7de374611f899e170fd0316463be6c65170496636b3e42d 0e044c8570122a280c963cac80e0140da78ee0d378cd17cab4ea6f146ce35d15 In some cases, the attached files are Office Documents that download the Agent Tesla loader. ----- Infection chain for c66e6c6018d3e51e8b39146c6021fb51f59750b93778a063f7d591f24068c880 ## W3Cryptolocker Ransomware W3Cryptolocker is a relatively new ransomware. Based on our telemetry, this ransomware surfaced in July 2020. We will call this malware W3Cryptolocker, based on a string found in its code. Strings found in the binary code of this ransomware. The loader was hosted on a potentially hacked site, italake.com. ----- Infection Chain of Ede98ae4e8afea093eae316388825527658807489e5559bff6dbf5bc5b554a2c It will encrypt all files in all drives except for files having “.xls” extension and folders having the following strings: Windows ProgramData $Recycle.bin System Volume Information It adds an extension .xls for encrypted files. After it is done encrypting each folder, it creates a “Read_Me.txt” file on each folder with the following message. Visiting thehttps://yip[.]su/2QstD5 leads you to a freshdesk support site, bit7.freshdesk.com. ----- Other W3Cryptolocker Samples c97852b425e41d384227124d93baf6c2d3e30b52295a828b1eac41dc0df94d29 9a0af98d0b8f7eacc3fdd582bbc0d4199825e01eeb20c2a6f98023c33ece74f6 01eea2a4628c6b27a5249a08152655246871acafa657e391b73444c05097976e 9a08e87e8063b13546e464f73e87b2ca5bde9410fec4e614313e2b8a497592fa 8dfe87850bd17b4eb0169b85b75b5f104ae6b84deeb2c81fe6ae5e19685f6c66 53124033d521158771eac79ad6f489c6fdd5b25ab96712035c2ca65b3a3c5eed aac2024789ffd2bfce97d6a509136ecf7c43b18c2a83280b596e62d988cedb10 fafabdffa67883587ba1a3c29f6345a378254f720efe8c2f318a4d5acdbce373 ## Redline Stealer Redline Stealer is a malware that surfaced around March 2020 and it was reported to have targeted healthcare and manufacturing industries in the United States. This malware is found being advertised on forums with several pricing options starting from $100/month subscription. It has the following functionality: Browser Data Stealer Login and Passwords Cookies Autocomplete Fields Credit Cards Remote Task Functions Execute Commands Download Files Download Files and Execute RunPE (Process Injection for fileless infection) OpenLink FTP and IM client stealer File-grabber Collects information about the victim’s system ----- The sample we found poses as a Bitcoin Miner archived into a RAR file. The archive contains an executable, MinerBitcoin.exe, that downloads the Redline Stealer payload from paste.nrecom.net. Infection Chain of Redline Stealer: Sha256: a719affc96b41b63f78d03dc3bc6b7340287d25d876e58fd1ab307169a1751dc Redline Stealer malicious functions ## LimeRAT [LimeRAT is a remote administration trojan coded in .NET and is open source. It was a malware used to target](https://github.com/NYAN-x-CAT/Lime-RAT) Colombian government institutions by the APT-C-36 group. Among its many capabilities, it can be used as: ----- Ransomware Remote Desktop Crypto Mining CryptoStealer DDOS Keylogger Password Stealer Infection Chain of 20ad344d20337f8a782135e59bc1f6e1a7999bcddc50fc1dc3b8b6645abcb91e Another sample we found is aae2e0d0792e22164b3c81d0051c5f94a293bae69e7aac5cc4ad035860dbf802. At the time of this analysis, this sample still has zero VT detections. It downloads the LimeRAT from https://paste[.]nrecom[.]net/view/raw/93a7cd20. aae2e0d0792e22164b3c81d0051c5f94a293bae69e7aac5cc4ad035860dbf802 with no VT hits ## Conclusion Using legitimate web-services like pastebin or paste.nrecom for malware infrastructure gives cybercriminals an advantage, as these services cannot be easily taken down due to their legitimate use. We recommend Security Operations to add paste.nrecom to potentially web services being abused for malicious purposes. It is recommended to monitor web-services like this one for suspicious content particularly binary data encoded in base64. Juniper’s Encrypted Traffic Insights capability on the SRX NGFW does detect the malicious TLS connections to paste.nrecom.net as malicious using machine learning as seen in the screenshot below for W3Cryptolocker loader. **Juniper Advanced Threat Protection (ATP) detects these threats.** ----- Detection of AgentTesla Loader (Project 68234.iso) Detection of AgentTesla Loader (VESSL’ITENERARY.xlsm) Detection of W3Cryptolocker Loader (0022.exe) Detection of malicious connection to paste.nrecom using Juniper Encrypted Traffic Insights ## Indicators of Compromise (IOC) ----- **Domain** Paste.nrecom.net 192.12.66.108 lol.thezone.vip **URL** http://198[.]12[.]66[.]108/v[.]exe http://lol[.]thezone[.]vip/v[.]exe http://italake[.]com/assets/css/0022[.]exe https://paste[.]nrecom[.]net/view/raw/3c3ececf https://paste[.]nrecom[.]net/view/raw/6306a51c https://paste[.]nrecom[.]net/view/raw/bfefa179 https://paste[.]nrecom[.]net/view/raw/39468747 https://paste[.]nrecom[.]net/view/raw/c230a816 https://paste[.]nrecom[.]net/view/raw/3529ec57 https://paste[.]nrecom[.]net/view/raw/7900ed08 https://paste[.]nrecom[.]net/view/raw/bd63e76f https://paste[.]nrecom[.]net/view/raw/658b9281 https://paste[.]nrecom[.]net/view/raw/b44fe71a https://paste[.]nrecom[.]net/view/raw/93a7cd20 https://paste[.]nrecom[.]net/view/raw/d8aedaf6 https://paste[.]nrecom[.]net/view/raw/91aec4e7 https://paste[.]nrecom[.]net/view/raw/4736837b https://paste[.]nrecom[.]net/view/raw/aec14685 https://paste[.]nrecom[.]net/view/raw/c7dfc858 https://paste[.]nrecom[.]net/view/raw/bebcab0a https://paste[.]nrecom[.]net/view/raw/bfbb1544 https://paste[.]nrecom[.]net/view/raw/7f41da66 https://paste[.]nrecom[.]net/view/raw/0d9233c8 https://paste[.]nrecom[.]net/view/raw/4f789f73 ----- https://paste[.]nrecom[.]net/view/raw/6550c073 https://paste[.]nrecom[.]net/view/raw/3066146f https://paste[.]nrecom[.]net/view/raw/019f27dd https://paste[.]nrecom[.]net/view/raw/04fba6cb **Sha256** 9c38ab9d806417e89e3c035740421977f92a15c12f9fa776ac9665a1879e5f67 Ede98ae4e8afea093eae316388825527658807489e5559bff6dbf5bc5b554a2c cb1da05bac46d1aeb0eeec67b2249aa8f539784c4a9ff9245b4ed4a8937ccd0f 337f28a9250592d0ebc58f5a913114df82e69ef4c44243191204adfa61f9819b 8d804533708c03ed4236be70e113a419ce1c8d8a5c36baa755cb7b787f29f54f 20ad344d20337f8a782135e59bc1f6e1a7999bcddc50fc1dc3b8b6645abcb91e bc2e03ca292da305602c8755453fa87073810a6359f2ec9a0935fe3bb51ef886 4f31265917db7d9abbdf4b6378da0822158cc9b4bff1904adad63a87cfa82f2e 3d3ab28f09d5736fcd2215fb6395e7b15e6e9f1f86931b1d3d956c70879e9d33 13b630c5c157585f6abcb2fc8e3388c23a09f881c20cdeaffda291fb36a37539 a78cce9dc644987d3404335cefeca9833ea5f69a36b2da05e5a86505c862d867 29f7eb242d7ddcaacfaac36f036081abc28ba48faaaf9fca601725a6ed160637 62fa4dea77f33cfe294110457af90d2ccd0fc32f3d37c9ddf7a0457ed8f315ee 9c0b50ba7ea383bf16b25ea12a830d5c63c5c995ab2f494dc270137ecfd31701 3c940fdf850d0e6211b340564357094fa8ddb81351789bfd43465efa2e52acfd 59bf368c532ca20de17fdaaee2160451ae8c8f7cafd8d3c7adb263dd0978e918 b9e094892d6ed3b3eba5b56416d31b5ea635cf666ddf67ff4eb62475db7371ca 9b876e4ddeaf0d950860db4942d9be1507453ba1065a03672de41dfb287b2511 f8ef2da125ebd0f972969d12f28964a00954bad6e4f804bd1db8c0507e751bc9 f679912dbe6576989cd541b866f5f3a7a2423b1a6f92cc189a12fbffc42b926d 1e4b7d7868d25071db67da87392fd5dafab344a9fa6dc040f7afb0699152fc13 1a8573f9acba3f7d8863043223fb1d6ef4b52ad5bb4cdcb5e178e935b25b40e3 94b9c9154a23db8df436f4cdda225d9bd28dfae325dfe68e034462d70245fb0e a7f337587cdd0e9a1fb013da274293d207815843f778c714e75693cd2c8e5f11 ----- afb7a097cebd29157285861e7bac37648c92243143b560772e652fa87b8aed6b e3065a6f8e49ccda273bf283c18b9344cc9ad802c1065b0fdf45cdafe92d1029 d38feef0723f730c8bb5704b4b45c8c0c324b1718b42e80b98244a7e49844331 99121c7c11bb444912d02000ce2e8a39b3e885d66889547ec8fb0c88906c22f4 6194207c32a23bac956afb47f857ebcdcb3aa37e818907e98b27acaf4b83d60f 435f9c7e3e74fa789f423e1a3c794fc8347414495a46de36e82de0e10cc0cf38 41502bc411135eb896c8a8aa7aa337ae437977473bd329ac1d0ccfa639ec4e2c 5d4b172afd897db7dddf983697c620cb1dde6341380b849f81f7606ae2073093 cb6c181823fd61558c1e6cefa9f1634d1676984316caa071c24268df493d3629 518096f15c73866783c6e10fbc9b694c41391ee6b0b3b4608ff24c3f457e21fd 904453d980dceca169497cb717731b046bbbb8c6700b90dbe46dc35c15a8fff2 8aaea85bfddaea3ec7217b5f2fa10daf0ca359f5228c3119185e7af281b42e2b 444d5257fc696b234af3311abf6985a41e6e60c66dc92dab0903cbc60156f398 e7edc16f528c9cf0455d84f412520786f31aae8f67f3f551671f576727d1d141 34a5905fd12478a0ac253f5fb1fb8e32543ea070ef3d1f84ed5e448475f385cb 9db25a250975ebce56643b75440c64705b0ecc1207d5a3d92b8f3d6060af3551 a533b2ceae875b9e14a1980d31fcd0243ef88a66371d6bcfbde7e423e0c2b610 1089bd2bc482573fc05dbea6a3c195802accedcd9ad74c6e4125a7a035c021be 398a9031f8f0eeb85169aa06340a39230beac02dc1a2a004280a1528576197ad 115127b50a0f45aabb993f8ffd5b585e063a98a17e1b687036167409cf2b0ac2 f52802d87fdaca4cc9c0ef7a6b1352163e3679272752d8ea3e7a681de99dfd43 b50d4fd8b572c3a13c4997c83e0bbbc3f7a270e75b79ec09512142f5560f61ab 2b2da9baef3c6f18ac4c4340b3107359f1113ee8ea3c097835c24546f1a3f11f f638dcb163a2568b12a9ea757335a0cc432bee92c15c77c5e80a294ad31bd792 5946308eb0248dd65c6ddc199f8bf69576b7e1dc95eb28822a265fecb1e56c86 c8ccf5c24239360035df47fef44703d7775346dbf7b1afcf78af6250b8876521 49add5e8057e45261291d45a67b60d0db5376efe9ba6873af53fc79f27243e43 d58b9d22310bf486e4301ed93191810f07cf06ca42b5252e4ded1537680579b6 3e292943cacc062b57a2b1e88340a2d0641e901470f385168b671c90eaf70e2a ----- 3db65b267a1e41ebb307b706f561866dce2752041f482abe93f73144df9a1d4d cf2dfce39e8f0eb5af3a9d51b5559e2c9be27ea5c1ef899e76281a0ee530307f 878bc771d4c7416170ff358db124e1608f5612b8998199a95c5d60d8f940b26e b7b028faf0caeca7b7f21de532299867e142fb043d31f996c5f5a3535dea4a47 dd16f5efc0cdb995aa3f7822016ae1e2a4708d5b8b5b4a2f6477f5ef5b82e205 682fdd0b1a94ea8f92981fd6b697a5c4ff817ff6e838285655ede39107ca9ade 3a845e095d227f6318cb0dc973c5ecd2a74555435fcd735b71cd30d4a862c39c e5eab76057ff57592284f3ea66db174032c69b1808dee70c081e03771d521545 3d9e5f07897b3089600b123a50a005eab5051640661dc4575c2afc0391c97ad8 4f0bc389fcd575a732907732c223219ab0ad44571ca6f83f99358bb9e7467839 f1b40766fbaeb0248b3e629b1904156e3966d2b862d030a8218236904e8cd32f 52f124a478c562251459cacc60b7afa952a8c02df7342c1a951502307ba7b33f 3cc7000f6f2bf315a4fc3fb0ef9035f8683d4660648e23cb178656eae79b2dc5 63cd03b7e7013b0a7bac695d4fb9b5c5c7e9c556eb6eab0a9ec359049fb2621c 022d911560f38d5165ea4196ac74a141531d3e244cdc9be895e539f7143a7bbb 39ba64584fb99652e9d2c05b4afdf139317f5f2a052611b989257047cc12db74 4784f1dbfcafcef10bdfd6c2021b1e74a826917715fd84a91f610a8b6a3bdc4f 7fe854ce78e7ab7cafcc299b4f2a4ee82cc366d47f9a8961727365e45688bb4c ac97cd95119446e96dd0bc35a4b9dc67f4ef2853e298dc145c7588807022d808 0e044c8570122a280c963cac80e0140da78ee0d378cd17cab4ea6f146ce35d15 6e960e703df3fdea6667d9c5b671e3efc05c692eb6875edc74c5ccc8ade52ac7 c8abcedb3ec20f7ab5d9b98cc32f03b318eba61f344e0537e4d4de673422c6b1 b4e0b3b783072b5266988f11bd5af2235b432619a42466fea81a35cb5edc4eea 23528e75315abed2f7a86fad26036ef1626311c3838153cb8a96bd938f0055ac 0374033592ba3bfa76d5046af2eaf4506166b157aae2c5a396c827b36d4738ca 6462c93c7a2cbad27bd1cd418bed36078860fd7f1399b477991fe3c71c0d7a8c dcbfc3cecf75ec77de3ac314ca911af1d778e5c432df4cda146c02aa9ae84c47 fc4b29f54e0b3ed0493ba85310a2665ab47e5143f3cb3ce09686f0560dd1ed04 27f8e739b62c685c4115f49ae146bb75271d0b8fad021436939735bf7492186b ----- 28b5ab14ad007650aa5e45f5090119a758eb45f893e400e53e5ea13ac2e5b38e 115127b50a0f45aabb993f8ffd5b585e063a98a17e1b687036167409cf2b0ac2 f52802d87fdaca4cc9c0ef7a6b1352163e3679272752d8ea3e7a681de99dfd43 b50d4fd8b572c3a13c4997c83e0bbbc3f7a270e75b79ec09512142f5560f61ab 2b2da9baef3c6f18ac4c4340b3107359f1113ee8ea3c097835c24546f1a3f11f f638dcb163a2568b12a9ea757335a0cc432bee92c15c77c5e80a294ad31bd792 5946308eb0248dd65c6ddc199f8bf69576b7e1dc95eb28822a265fecb1e56c86 c8ccf5c24239360035df47fef44703d7775346dbf7b1afcf78af6250b8876521 49add5e8057e45261291d45a67b60d0db5376efe9ba6873af53fc79f27243e43 d58b9d22310bf486e4301ed93191810f07cf06ca42b5252e4ded1537680579b6 3e292943cacc062b57a2b1e88340a2d0641e901470f385168b671c90eaf70e2a 3db65b267a1e41ebb307b706f561866dce2752041f482abe93f73144df9a1d4d cf2dfce39e8f0eb5af3a9d51b5559e2c9be27ea5c1ef899e76281a0ee530307f 878bc771d4c7416170ff358db124e1608f5612b8998199a95c5d60d8f940b26e b7b028faf0caeca7b7f21de532299867e142fb043d31f996c5f5a3535dea4a47 dd16f5efc0cdb995aa3f7822016ae1e2a4708d5b8b5b4a2f6477f5ef5b82e205 682fdd0b1a94ea8f92981fd6b697a5c4ff817ff6e838285655ede39107ca9ade 3a845e095d227f6318cb0dc973c5ecd2a74555435fcd735b71cd30d4a862c39c e5eab76057ff57592284f3ea66db174032c69b1808dee70c081e03771d521545 3d9e5f07897b3089600b123a50a005eab5051640661dc4575c2afc0391c97ad8 4f0bc389fcd575a732907732c223219ab0ad44571ca6f83f99358bb9e7467839 f1b40766fbaeb0248b3e629b1904156e3966d2b862d030a8218236904e8cd32f 52f124a478c562251459cacc60b7afa952a8c02df7342c1a951502307ba7b33f 3cc7000f6f2bf315a4fc3fb0ef9035f8683d4660648e23cb178656eae79b2dc5 63cd03b7e7013b0a7bac695d4fb9b5c5c7e9c556eb6eab0a9ec359049fb2621c 022d911560f38d5165ea4196ac74a141531d3e244cdc9be895e539f7143a7bbb 39ba64584fb99652e9d2c05b4afdf139317f5f2a052611b989257047cc12db74 4784f1dbfcafcef10bdfd6c2021b1e74a826917715fd84a91f610a8b6a3bdc4f 7fe854ce78e7ab7cafcc299b4f2a4ee82cc366d47f9a8961727365e45688bb4c ----- ac97cd95119446e96dd0bc35a4b9dc67f4ef2853e298dc145c7588807022d808 0e044c8570122a280c963cac80e0140da78ee0d378cd17cab4ea6f146ce35d15 6e960e703df3fdea6667d9c5b671e3efc05c692eb6875edc74c5ccc8ade52ac7 c8abcedb3ec20f7ab5d9b98cc32f03b318eba61f344e0537e4d4de673422c6b1 b4e0b3b783072b5266988f11bd5af2235b432619a42466fea81a35cb5edc4eea 23528e75315abed2f7a86fad26036ef1626311c3838153cb8a96bd938f0055ac 0374033592ba3bfa76d5046af2eaf4506166b157aae2c5a396c827b36d4738ca 6462c93c7a2cbad27bd1cd418bed36078860fd7f1399b477991fe3c71c0d7a8c dcbfc3cecf75ec77de3ac314ca911af1d778e5c432df4cda146c02aa9ae84c47 fc4b29f54e0b3ed0493ba85310a2665ab47e5143f3cb3ce09686f0560dd1ed04 27f8e739b62c685c4115f49ae146bb75271d0b8fad021436939735bf7492186b 28b5ab14ad007650aa5e45f5090119a758eb45f893e400e53e5ea13ac2e5b38e -----