Threat Research

The Malicious Use of Pastebin

By Amir Zali | August 02, 2019

A FortiGuard Labs Threat Analysis Report

The FortiGuard Labs threat research team has been noticing for some time that Pastebin and similar services are being used by malware authors, sometimes to evade detection or to obscure their purposes. However, we had no idea how common this practice is or what sorts of malicious content might be stored there. To get to the bottom of this, I decided to scrape Pastebin myself to see what is going on.

Introduction

One way to share plain-text data over the internet is to post it on Pastebin and then share it anywhere you want with just a link. But not everyone uses this service in the same way or for innocent purposes. Malware authors, for example, often store part of the malicious content in their malware on it, and then fetch it later from inside the malicious executable using the share link. A recent FortiGuard Labs blog on the Rocke coin mining malware shows one practical use case for this practice.

To take a closer look at this practice, and see how prevalent the misuse of this service is by cybercriminals, I decided to scrape all the pastes in Pastebin and process them for malicious content. At first, my goal was to look up malicious files, since Pastebin can be used as an evasion techniques. However, what I discovered was a wide variety of malicious scripts, stolen credentials, encoded content, and malware. The result of this research, based on examining thousands of pastes, is as follows.

Base64 Encoded Content: Over 8,000 of these files fell into this category. Among them there were obfuscated scripts, some hashes, and countless binary data. Surprisingly, I also found some ELF/PE executable files. Listed below is the MD5 hash of a few of these files and their status on VirusTotal. 

Bash Script Files: Another approximately 1,000 files were bash script files. Most of the files were cryptocurrency miners and scripts used to install services. Otherwise, I couldn’t detect anything special about them using my filtering scripts.

Credentials and Sensitive Information: Over 6,000 of these files claimed to include stolen and hacked usernames and passwords for a variety of services, such as Spotify and Netflix, as well as some credit card information.

Encoded Content: Over 4,000 pastes were either encoded/random text strings, contained encryption keys, public and private cryptocurrency keys and wallets, a number of PHP or JavaScript obfuscated scripts, authentication tokens hardcoded in script files, onion service links (addresses in the Tor network), and last but not least, a lot of links for cracked software and/or movies (copyright protected content).   

Source Files: 3,000 of these pastes included source files in PowerShell scripts, Python, JavaScript, etc. Among those, I was able to detect PoC files related to public vulnerabilities.

Pastebin is Just the Tip of the Iceberg

I only checked the Pastebin service for malicious files, but there are a number of similar services. However, some of them don’t index posted entries so they are not easy to scrape. Because of this, they may be even more interesting to cybercriminals – which also means the content on these other services may be even more interesting to cybersecurity professionals as well.

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolioSign up for our weekly FortiGuard Threat Brief. 

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.