Pastebin was used to store backdoor code that was later tapped in attacks against websites running a vulnerable instance of the popular RevSlider plugin.
According to researcher Denis Sinegubko, Pastebin was used as a remote server for malcode. According to The Register, Sinegubko said: “Technically, the criminals used Pastebin for what it was built for – to share code snippets. The only catch is that the code is malicious, and it is used in illegal activity directly off of the Pastebin website. This time we see relatively massive use of Pastebin in live attacks, which is quite new to us.”
The code injected the content of a Base64-encoded $temp variable into a WordPress core wp-links-opml.php file and immediately executed. The use of a wp_nonce_once parameter hid the address of malicious pastes in a bid to foil blocking efforts or deletion of pastes and also added flexibility to execute any Pastebin snippet.
In an email to IT Security Guru, Bromium co-founder Ian Pratt agreed that this sort of action shows hackers who are not adept at covering their tracks. “Hackers attempting to be stealthy wouldn’t use Pastebin as such accesses are likely to raise red flags to vigilant security pros.
“However, many servers and networks are not closely monitored, so the attackers can get away with being lazy. Further, using Pastebin to host malcode leaves less of a forensic trail than going to the effort of setting up your own server in the cloud or compromising some other web site to be duped into doing the hosting.”
In 2012, Pastebin founder Jeroen Vader said that he planned to hire more peopl
e to deal with the posting of password lists, source code and personal information, then receiving an average of 1,200 abuse reports a day via Pastebin’s on-site notification system and by email. Vader noted that personal information about himself had been posted to Pastebin, which he “quickly” removed.
Asked if he felt that Pastebin could be doing a better job to vet uploads, bearing in mind there are likely to be thousands every hour, Pratt said that it is mathematically impossible for Pastebin to vet code to determine whether it is malicious.
Jared DeMott, security researcher at Bromium Labs, said: “Once malware is running, finding how it connects out, and receives new code and commands is a cat and mouse game. If you block Pastebin, they’ll use Github.
“Enterprises cannot just block access to Github, like they could Pastebin, since it’s often a business critical need. The best way to stop malware is to stop it at the point of attack, rather than waiting and trying to deal with it once it has a foothold in your life.”
