FortiGuard Labs Threat Research Report
The FortiGuard Labs threat research team has been noticing for some time that Pastebin and similar services are being used by malware authors, sometimes to evade detection or to obscure their purposes. However, we had no idea how common this practice is or what sorts of malicious content might be stored there. To get to the bottom of this, I decided to scrape Pastebin myself to see what is going on.
Tools like Pastebin can be used to share plain-text data over the internet with just a link. But not everyone uses this service in the same way or for innocent purposes. Malware authors, for example, often use Pastebin, or services like it, to store part of the malicious content from their malware, and then fetch it later from inside the malicious executable using the share link. A recent FortiGuard Labs blog on the Rocke coin mining malware shows one practical use case for this practice.
To take a closer look at this practice, and see how prevalent the misuse of this service is by cyber criminals, I decided to scrape all the pastes in Pastebin and process them for malicious content. At first, my goal was to look up malicious files, since Pastebin can be used as an evasion technique. However, what I discovered was a wide variety of malicious scripts, stolen credentials, encoded content, and malware. The result of this research, based on examining thousands of pastes, is as follows.
Base64 Encoded Content: Over 8,000 of these files fell into this category. Among them were obfuscated scripts, some hashes, and countless binary data. Surprisingly, I also found some ELF/PE executable files. Listed below is the MD5 hash of a few of these files and their status on VirusTotal.
Bash Script Files: Another approximately 1,000 files were bash script files. Most of the files were cryptocurrency miners and scripts used to install services. Otherwise, I couldn’t detect anything special about them using my filtering scripts.
Credentials and Sensitive Information: Over 6,000 of these files claimed to include stolen and hacked usernames and passwords for a variety of services, such as Spotify and Netflix, as well as some credit card information.
I only checked the Pastebin service for malicious files, but there are a number of similar services that cyber criminals may use in this way. However, some of them don’t index posted entries so they are not easy to scrape. Because of this, they may be even more interesting to cyber criminals – which also means the content on these other services may be even more interesting to cybersecurity professionals as well.