Cyber attackers taking advantage of legitimate online services is not a new thing, and “online clipboard” Pastebin.com is often used to anonymously leak stolen information.
But the latest malicious use of the service is not tied to leaked data, but the hosting of malicious files.
Sucuri Security senior malware researcher Denis Sinegubko shared their discovery of live attacks in which the hackers use Pastebin to host backdoor code.
The attackers are targeting WordPress sites equipped with older versions of the RevSlider plugin, which sports a known vulnerability that, when exploited, allows them to compromise the site and put in a backdoor.
“It’s more or less a typical backdoor. It downloads malicious code from a remote server and saves it in a file on a compromised site, making it available for execution,” he shared. In this case, the remote server is Pastebin.com, which allows users to download submitted code in “raw” format (and execute it).
“Technically, the criminals used Pastebin for what it was built for – to share code snippets. The only catch is that the code is malicious, and it is used in illegal activity (hacking) directly off of the Pastebin website,” he explained.
In fact, this service is so helpful for attackers, that Indonesian hackers have developed an encoder that works specifically with Pastebin.com, and obfuscates the malicious code.
Pastebin is trying to track down and remove illegal material (such as stolen info) from its site, but it’s impossible to go through all the code posted on the site in search for malicious snippets.
Sinegubko therefore urges security researchers not to share malicious code they find on Pastebin, as hackers can easily reuse it directly from the service.
“It would be a good idea, before sharing, to make some obvious modification to the code that would prevent its execution when downloaded in a raw format,” he pointed out.