HomesecurityWhy do Trojan njRAT operators use Pastebin?

Why do Trojan njRAT operators use Pastebin?

NjRAT Remote Access Trojan (RAT) operators use Pastebin C2 tunnels to avoid scrutiny by cyber security researchers.

Pastebin Trojan njRAT

On Wednesday, Palo Alto Networks Unit 42 cybersecurity team said njRAT, also known as Bladabindi, was being used to receive and execute secondary phase payload from Pastebin, completely eliminating the need to create a traditional command-and-control C2) server.

Since at least October, attackers have used the Pastebin platform as a host for payloads differing in form and shape.

The team states that njRAT variants will require abbreviated URLs associated with Rastebin in an effort to "avoid crawling by security products and increase the probability of mode to go unnoticed ".

NjRAT is a widely used Trojan capable of tampering with the functions of a compromised machine remotely, including taking screenshots of data exfiltrating and many other processes. In addition, RAT is able to perform secondary payloads and connect infected computers to botnets.

The "Pastebin C2 tunnel" now in use, as described by the researchers, creates a pathway between njRAT infections and new payloads. The Trojan acting as download program, will "steal" encoded data which have been "thrown" at Pastebin.

In some samples seen by the team, a payload was decoded as an executable .NET that abuses the API functions of Windows for keylogging and data theft. Other samples, similar in operation, required multiple levels decoding to reveal the final payload.

Palo Alto says Pastebin-based command architecture is still active and used by RAT for delivery secondary payload.


Teo Ehc
Be the limited edition.