Pastebin Malware

    I've never really understood the purpose of Pastebin from a practical sense.  I think I get the concept, I just don't know why you'd use it.  That being said, its darker side is breach data dumping for the world to see.  

    Yesterday, I was thinking about the API and wondering if I wanted to write a script to search the pastes for client email addresses.  While digging around on the site, I checked out a few pastes.  Lots of people dumping code snippets and then I saw something.  Among the code snippets, I saw what looked to be base64.  I grabbed it, decoded it, and what I saw looked to be binary gibberish.  I thought it was going to be something clever like a message but that's just me playing too much CTF.  But then I did a Google search for "What is the purpose of Pastebin?" and I saw a search result talking about base64 encoded malware.  What!?!?  After reading the article, I was left with only a partial picture.  Perhaps the author didn't want to spell things out completely?  I don't know.  So I started working it through on my own.

    A quick recap -- Pastebin accepts text only pastes so you can't just drop a binary, it must be converted to text.  If we take the netcat binary, or any Windows binary for that matter, and we convert it to base64, we have text we can upload but we also get the same pattern appearing at the start:  TVqQAAMAAAAEAAAA

    Armed with this knowledge, if we search Pastebin for that pattern, we come up with some results:

    I've sorted the results by date and then I downloaded the text file:

    Now I'm converting the base64 text back to a binary because what could possibly go wrong??  Seriously, this is unknown malware, be careful!!

    Now that I've converted it back to a binary, I upload it to VirusTotal to see if we have a match:

    No surprise, we get overwhelming results on a malware positive.  Now what's really interesting is that the filename is the paste name which tells me that someone is monitoring Pastebin for malware.  Otherwise, I don't think we'd see a name match for the paste name.  

    I've been on the Internet for a very long time, longer than most, and I thought there were very few tricks left but today the Internet proved me wrong.  

    © 2020