Cybercriminals are now eyeing Pastebin-like services to make their infection chain stealthy. Recently, several malware operators have been observed actively using the Paste[.]nrecom.net service for their campaigns. AgentTesla is one of them.
Modus Operandi
Paste[.]nrecom is a text-only service that started in May 2014, and it is the first time that attackers have started exploiting it. Attackers encode binary data to represent it as a text file, making it harder for security bodies to take down.
• From mid-September, several malware families including AgentTesla, LimeRAT, W3Cryptolocker, and Redline Stealer have started taking advantage of paste[.]nrecom[.]net service that offers an API and allows scripting.
• Attackers are sending phishing emails that trick a user into executing the malware. Subsequently, it downloads next stage malware from paste[.]nrecom.net to load into memory without writing to disk.
• Using such legitimate service is very beneficial for attackers, as they can easily insert and update data in an automated way.
Recent Attacks
Besides using new techniques, AgentTesla has been actively used by cybercriminals for various campaigns in recent few months.
• Last month, a malware gang identified as Epic Manchego used a .NET library to create malicious Excel files that delivered malware such as Azorult, AgentTesla, Formbook, Matiex, and njRat.
• In August, newer variants of Agent Tesla trojan were targeting popular web browsers, VPN software, FTP, and email clients.
Conclusion
Cybercriminals have started using Pastebin-like services for certain advantages it gives to them, such as evading detection, sharing malicious code, and storing stolen information. Experts suggest users to stay alert while visiting such sites and enterprises are advised to block access to such sites to stay protected.