Οι συγγραφείς malware χρησιμοποιούν το Pastebin to host backdoor code, reports researcher Denis Sinegubko.
Code-sharing by clicking here was used to host the malicious code that was later used in attacks against WordPress websites running the popular RevSlider plugin.
Ο Sinegubko, is an employee of Sucuri and is known as a whitehat malware analyst blog Unmaskparasites. The researcher said the use of Pastebin as a remote malcode server in many live attacks has been found to be very common.
"Technically, criminals use Rastebin for the reason it was created - to share the creation of a code. Only the code is malicious, and is used in illegal activities directly from the Pastebin website.
"This time we see a relatively massive use of Rastebin in live attacks, which is quite new to us."
The code injects the contents of a Base64 encoded variable into the $ temp of WordPress core wp-links-opml.php and the file runs immediately. Using the wp_nonce_once parameter has hidden the malicious paste address in an attempt to prevent Pastebin from blocking or deleting the malicious code. This gave him more flexibility to execute any code snippet.
It was a warning for the malware-busting community not to share malcode in Rastebin as this could serve as a convenient server for attackers.
Pastebin works just fine as it allows malicious users to download code in RAW format. It was so effective that an Indonesian hacker "FathurFreaks" of Yogyakarta BlackHat wrote PHP Encryptor.
Most Companies have no legitimate reason to allow access to Pastebin, according to Kevin Fielder of RSA. In April 2013, it reported on malware using Pastebin to launch executable Base64 as text on the Web site, which was later used as password-stealing malware. Fielder detected that the malware was decoding the text in its sandbox.
“Ultimately block Pastebin, as there is no valid use of the site by one company which will not pose any significant risk," he said at that time.
"If you can not rule it out, you have to watch out for it coming down and what was asked."
