njRAT was developed in .NET. It is a common Trojan used for remotely hijacking the key functions of a compromised device.
According to the latest findings from Palo Alto Networks’ Unit 42, the njRAT Remote Access Trojan operators are utilizing Pastebin C2 tunnels to host payloads and evade detection from security products and researchers.
Pastebin is a widely used website that allows users to store data anonymously.
In a blog post published on Wednesday, researchers explained that since October 2020, malware authors are “leveraging” njRAT through Pastebin to post malicious data, which is accessible by malware using a shortened URL.
Unit 42 researchers identified that njRAT (or Bladabindi) is used for downloading and execution of secondary-stage payloads via Pastebin. Through this technique, the attackers don’t need to establish a command and control (C&C) server at all. It improves their capability of operating without getting noticed.
The Pastebin C2 tunnel creates a pathway between njRAT infections as well as new payloads while the trojan acts as a downloader that grabs, decodes, and deploys encoded data dumped on Pastebin.
The payloads vary in shape and form because in some cases the dumps are encoded in base64 and some had JSON and hexadecimal data to hide the true nature of the dump. Moreover, some of the payloads are compressed blobs, while others are plaintext instructions with malicious URLs embedded.
njRAT was developed in .NET. It is a common Trojan used for remotely hijacking the key functions of a compromised device, such as:
Eliminating specific processes like antivirus programs.
These functions are in addition to the RAT’s ability to execute secondary payloads and link infected computers to botnets.
Some of the samples viewed by the team had one of the payloads was decoded as a .NET executable, which abuses Windows API functions for data theft and keylogging.
Other samples exhibited a similar functionality but required several layers of decoding to execute the final payload. JSON-formatted data acts as the malware’s configuration files. Moreover, the Pastebin dumps are also used to redirect to software downloads, including links to ProxyScraper.
Researchers believe that the operators intend to use Pastebin-like services for a long time.
“Based on our research, malware authors are interested in hosting their second-stage payloads in Pastebin and encrypting or obfuscating such data as a measure to evade security solutions. There is a possibility that malware authors will use services like Pastebin for the long term,” researchers explained in their blog post.