fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Malware Campaigns Deliver Payloads Via Obscure Paste Service

Malware Campaigns Deliver Payloads Via Obscure Paste Service

Multiple malware campaigns have been spotted using Pastebin-style services to facilitate their nefarious activities.

Instead of delivering payload from a dedicated Command-and-Control (C&C) server, paste sites enable attackers to hide their malicious code in plain sight.

This week Juniper Threat Labs have identified malware campaigns relying on legitimate paste services like paste.nrecom.net to host the malicious payload.

This service is based on an open-source Pastebin implementation called Strikked and has been operating since 2014.

Binary payload encoded as plaintext

While the paste site only supports plaintext files and not binary, any data – including binary can be encoded and represented as ASCII.

That is what malware spotted by Juniper Threat Labs was doing in this case.

base64 encoded payload juniper
Encoded malicious payload hosted on Pastebin-like site paste.nrecom.net ​​​​​​
Source: Juniper Threat Labs

“Because it is a text-only service, one would think that it cannot host an executable file (binary data) into it,” stated Paul Kimayong, a security researcher at Juniper Threat Labs.

“However, binary data can be represented as a text file by simply encoding it. The common encoding method is using base64. That is exactly what the threat actors did in this case,” he continued.

Before being base64-encoded, as shown above, the binary payload underwent an XOR encryption, to add a layer of obfuscation.

Obfuscation using XOR operations is a technique used to “scramble” the data to make it hard to decipher without knowing the correct “XOR key.”

Obfuscated binary payload post an XOR operation
Obfuscated binary payload after an XOR operation
Source: Juniper Threat Labs

Also Read: What is Pentest Report? Here’s A Walk-through

Multiple malware campaigns

The malware campaigns leveraging the paste service to distribute encrypted payload include Agent Tesla, W3Cryptolocker Ransomware, Redline Stealer, and LimeRAT.

“The attack usually starts with a phishing email that includes an attachment, such as a document, archive or an executable,” explains Kimayong.

An example phishing email sent to lure victims of Agent Tesla campaign into downloading the malicious file is shown below:

phishing email juniper
Phishing email containing the attachment that would download malware from the paste service

“When a user is tricked into installing the malicious attachment (first stage), it downloads the next stages from paste.nrecom.net. We have also seen malware hosting their configuration data in the same service.”

Using Pastebin-style services to host encrypted malicious code in plain sight works in the attacker’s favor as these sites cannot be easily blocked by policy due to their legitimate use-cases.

Juniper Threat Labs’ advice is to monitor traffic corresponding to the paste.nrecom website should it be malicious. Particularly, Security Operations Center (SOC) professionals should watch out for suspicious activity such as base64-encoded binary data in transit.

Juniper’s complete findings, Indicators of Compromise (IOCs), and list of malware campaigns are provided on their blog.

Also Read: 8 Simple Ways To Improve Your Website Protection

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us