Backdoors Found Leveraging Pastebin

Instead of relying on their own sites to host malware, hackers are using a series of strings of malicious backdoor code on Pastebin sites and calling upon it to execute malware.

The cut and paste website Pastebin is perhaps best known as a conduit for attackers to share database dumps, stolen data and other code, but now hackers have begun leveraging the site for their actual attacks.

Instead of relying on compromised sites to host malware, hackers are using Pastebin to spread malicious backdoor code and calling upon it to execute malware.

In this case, according to Denis Sinegubko, a senior malware researcher at Sucuri who penned a blog entry about the backdoors yesterday, the attackers are continuing to take advantage of a previously disclosed hole in RevSlider, a popular WordPress plugin.

“Technically, the criminals used Pastebin for what it was built for – to share code snippets. The only catch is that the code is malicious, and it is used in illegal activity (hacking) directly off of the Pastebin website,” Sinegubko wrote Tuesday.

In this case researchers found a segment of code that injects the content of a Base64-encoded $temp variable into a WordPress file wp-links-opml.php. The code, which Sinegubko claims is a slightly more sophisticated, is obscured but carries a backdoor. The code is dependent on using a parameter, wp_nonce_once, that disguises the fact that it calls upon an actual Pastebin file. The nonce, which is commonly used to protect against unexpected or duplicate requests, also makes the code difficult to block, the researcher claims.

Sinegubko insists the backdoor can be rigged to download and execute any code snippet hosted on Pastebin, as long as a request is passed through that wp-links-opml.php file.

As anyone can report abuse when it comes to Pastebin posts as they come across them, it’s unclear exactly how widespread this backdoor is.

Emails to Pastebin inquiring about the backdoors and how vigilant the service is being in regards to what is posted on its site were not immediately returned on Wednesday.

In mid-December researchers with Sucuri discovered a type of malware, SoakSoak, that was modifying files in WordPress sites that used an older version of “Slider Revolution,” a/k/a RevSlider, a slideshow plugin. While Google was forced to blacklist 10,000 websites it spotted spreading the malware at the time, the campaign didn’t stop there. Shortly before Christmas hackers began targeting a different Wordpress file with SoakSoak, this time to load a malicious Flash file.

ThemePunch, the creators behind the plugin has reached out to Threatpost in the past to clarify that only versions of the plugin before 4.1.4 are vulnerable but the bigger problem is that many sites that run it are running it because it’s incorporated into a bundle, something that has prevented many builds from being updated.

While using Pastebin to post stolen data is like second nature to hackers, it’s a bit of a rarity to see attacks that actually use the service as an exploitation platform.

Yesterday it came out that the insider behind the Morgan Stanley breach apparently attempted to sell a cache of account records – including passwords and login data for millions of clients – on Pastebin, shortly after the financial services giant was breached last year. The hackers behind the Sony Pictures breach also relied on the service last month to upload links to troves of sensitive, stolen data.

Suggested articles