NjRAT Remote Access Trojan (RAT) operators use Pastebin C2 tunnels to avoid scrutiny by cyber security researchers.
On Wednesday, Palo Alto Networks Unit 42 cybersecurity team said njRAT, also known as Bladabindi, was being used to receive and execute secondary phase payload from Pastebin, completely eliminating the need to create a traditional command-and-control C2) server.
Since at least October, attackers have used the Pastebin platform as a host for payloads differing in form and shape.
NjRAT is a widely used Trojan capable of tampering with the functions of a compromised machine remotely, including taking screenshots of data exfiltrating and many other processes. In addition, RAT is able to perform secondary payloads and connect infected computers to botnets.
The "Pastebin C2 tunnel" now in use, as described by the researchers, creates a pathway between njRAT infections and new payloads. The Trojan acting as download program, will "steal" encoded data which have been "thrown" at Pastebin.
In some samples seen by the team, a payload was decoded as an executable .NET that abuses the API functions of Windows for keylogging and data theft. Other samples, similar in operation, required multiple levels decoding to reveal the final payload.
Palo Alto says Pastebin-based command architecture is still active and used by RAT for delivery secondary payload.