Operators of the njRAT Remote Access Trojan (RAT) are leveraging Pastebin C2 tunnels to avoid scrutiny by cybersecurity researchers. 

On Wednesday, Palo Alto Networks' Unit 42 cybersecurity team said[1] njRAT, also known as Bladabindi, is being used to download and execute secondary-stage payloads from Pastebin, scrapping the need to establish a traditional command-and-control (C2) server altogether. 

See also: Your email threads are now being hijacked by the QBot Trojan[2]

Since October, at the least, operators have used Pastebin, a text storage and release platform, as a host for payloads which differ in form and shape. In some cases, dumps are base64 encoded, in others, hexadecimal and JSON data masks the true nature of a dump, some are compressed blobs, and others are simply plaintext instructions containing embedded, malicious URLs.

The team says that njRAT variants will call upon shortened URLs linking to Pastebin in an attempt to "evade detection by security products and increase the possibility of operating unnoticed."

Developed in .NET, njRAT is a widely-used Trojan that is able to hijack the functions of a compromised machine remotely, including taking screenshots, exfiltrating data, keylogging, and killing processes such as antivirus programs. In addition, the RAT is able to execute secondary, malicious payloads and connect infected PCs to botnets. 

The "Pastebin C2 tunnel" now in use, as described by the researchers, creates a pathway between njRAT infections and new payloads. With the Trojan acting as a downloader, it will grab encoded data dumped on Pastebin, decode, and deploy.

CNET: Hackers access documents related to authorized COVID-19 vaccines[3]

In samples viewed by the team, one payload was decoded as a .NET executable that abuses Windows API functions for keylogging and data theft. Other samples, similar in function, required

Read more from our friends at ZDNet