Script Pastebin 2023

[Eloisa Stawasz]

Im making a Javascript meant to be run from a Browser's Console.I want to make them as short as possible when pasting to theconsole (The code has 299 lines, by the way.). So, I uploaded the code into Pastebin and also to a file hosting which directly goes into the JS file.

The gibberish (?) is reflective of, in this case, gnome-terminal color. Yes, by using a different shell, different console, etc it's possible to not generate that "gibberish". The question is how to nicely either get the script command to not record them, or get the pastebin utility (or similar, such as gist-paste) to handle them "nicely".

When you execute the new command spaste it will call the command script and will assign to it the user's input parameters. So the call syntax is the same as the command script - see script --help or type spaste --help for more details:

The new command spaste has few different modes how to handle the link returned by pastebinit. These modes could be switched by export of the variable $SPASTE_MODE with different values before the execution of the command spaste:

Once you've run script and it's created a typescript file, run cat typescript. All the escape sequences are consumed by the terminal, so the output is colorized plaintext. Copy it manually (using the mouse), and it will save into the clipboard as plain text. Paste where needed.

The FortiGuard Labs threat research team has been noticing for some time that Pastebin and similar services are being used by malware authors, sometimes to evade detection or to obscure their purposes. However, we had no idea how common this practice is or what sorts of malicious content might be stored there. To get to the bottom of this, I decided to scrape Pastebin myself to see what is going on.

Tools like Pastebin can be used to share plain-text data over the internet with just a link. But not everyone uses this service in the same way or for innocent purposes. Malware authors, for example, often use Pastebin, or services like it, to store part of the malicious content from their malware, and then fetch it later from inside the malicious executable using the share link. A recent FortiGuard Labs blog on the Rocke coin mining malware shows one practical use case for this practice.

To take a closer look at this practice, and see how prevalent the misuse of this service is by cyber criminals, I decided to scrape all the pastes in Pastebin and process them for malicious content. At first, my goal was to look up malicious files, since Pastebin can be used as an evasion technique. However, what I discovered was a wide variety of malicious scripts, stolen credentials, encoded content, and malware. The result of this research, based on examining thousands of pastes, is as follows.

Base64 Encoded Content: Over 8,000 of these files fell into this category. Among them were obfuscated scripts, some hashes, and countless binary data. Surprisingly, I also found some ELF/PE executable files. Listed below is the MD5 hash of a few of these files and their status on VirusTotal.

Credentials and Sensitive Information: Over 6,000 of these files claimed to include stolen and hacked usernames and passwords for a variety of services, such as Spotify and Netflix, as well as some credit card information.

Encoded Content: Over 4,000 pastes were either encoded/random text strings, contained encryption keys, public and private cryptocurrency keys and wallets, a number of PHP or JavaScript obfuscated scripts, authentication tokens hardcoded in script files, onion service links (addresses in the Tor network), and last but not least, a lot of links for cracked software and/or movies (copyright protected content).

pastebin is a program available on all ComputerCraft systems since mod version 1.31. It makes use of the http API to connect to, as the name implies, the Pastebin website (the script is hidden if said API is disabled in ComputerCraft.cfg). It can be used to either download and save scripts, run them on the fly, or upload them to the pastebin servers.

In March 2019, Unit 42 began looking into an attack campaign that appeared to be primarily focused on organizations within a Middle Eastern country. Further analysis revealed that this activity is likely part of a much larger campaign impacting not only that region but also the United States, and throughout Europe and Asia.

Our analysis of the delivery document revealed it was built to load a malicious macro-enabled document from a remote server via Template Injection. These macros use BlogSpot posts to obtain a script that uses multiple Pastebin pastes to download additional scripts, which ultimately result in the final payload being RevengeRAT configured with a duckdns[.]org domain for C2. During our research, we found several related delivery documents that followed the same process to ultimately install RevengeRAT hosted on Pastebin, which suggests the actors used these TTPs throughout their attack campaign.

Initially, we believed this activity to be potentially associated with the Gorgon Group. Our hypothesis was based on the high level TTPs including the use of RevengeRAT. However, Unit 42 has not yet identified direct overlaps with other high-fidelity Gorgon Group indicators. Based on this, we are not able to assign this activity to the Gorgon group with an appropriate level of certainty.

By analyzing the code hosted on the blog, we discovered it actually includes a JavaScript embedded within it that performs several activities. Figure 5 shows the malicious JavaScript hosted at the seemingly innocuous blog.

The malicious script carries out several activities on the compromised system. First, it attempts to hamper Microsoft Defender by removing its signature set. The script also kills the Defender process along with the processes for several Office applications. All of this is performed using the following command line:

The script then attempts to disable security mechanisms within Office products, specifically by setting registry key values to enable macros and to disable ProtectedView. First, the script enables macros within Word, PowerPoint and Excel by setting the following registry keys to a value of "1":

The technique of enabling macros and disabling ProtectedView in Office, including the order in which the registry keys were modified was also described in our blog covering the Gorgon group. Also, the tactic of killing processes for Windows Defender and Microsoft Office applications was also carried out by Gorgon as well. The Gorgon group also used the bitly URL shortening service in their attacks, but while these are obvious technique overlaps, we still do not have concrete evidence that this attack campaign is associated with Gorgon.

The command above results in the downloading of a portable executable hosted on Pastebin at [.]com/raw/2LDaeHE1, decoding the base64 downloaded from the URL, and then executing it. Figure 6 shows the Pastebin page hosting the executable downloaded by the script.

According to its configuration seen in Figure 8, when sending data to the C2 server, it will split the information using the string "hagga", which is the same name as the PasteBin account hosting the payload information seen in Figure 6 and the basis of the Aggah campaign name.

The script hosted at the Blogspot blog builds another command to create a scheduled task called "eScan Backup" that runs every 100 minutes. The command string generated by the script used to create this scheduled task is:

The script hosted at the Blogspot blog creates an autorun registry key, which appears to be a second persistence mechanism to supplement the previously mentioned scheduled task. To create the autorun key, the script generates the following command that it will attempt to run:

The fact that the above script does so little suggests that the actor may update this paste with a new script containing additional functionality when desired. The editing of pastes is possible if the paste was created using a "Pro" account. These pastes were created by an account named HAGGA, which appears to be a PRO account that would allow the actor to update the script to run on infected systems. HAGGA has several additional pastes as well as seen below in Figure 12. These pastes contain additional malicious scripts that are ultimately used to create a payload.

While investigating this particular campaign we reviewed the click count available on Bit.ly. As of April 11, 2019, the Bit.ly link, SmexEaldos3, referenced in the analysis above contained over 1,900 clicks in about 20 countries spanning North America, Europe, Asia, and the Middle East. This high volume click-count indicated to us that we were likely only looking at an extremely small subset of the actual campaign. It is also highly likely that these click counts also include individuals accessing the shortened link during investigations and research efforts; therefore, the number is not an accurate representation of the number of hosts infected.

All of the documents have a time stamp between January and April 2019, and each contained a Bit.ly URL that redirects to a Blogspot page. While all of these documents were of interest to us, we noticed one configured with the same Bit.ly URL as our original file Activity.doc. This file has the following SHA256:

During our analysis, we identified several Bit.ly URLs and their redirects resulting in the download of RevengeRAT. One particular sample contains the C2 domain kronozzz2.duckdns[.]org. This sample has a SHA256 of:

To our surprise, we found it was rather unlikely that two unrelated individuals would use the mutex, identifier, and key just by happenstance. We believe this as the actor must manually enter the mutex, identifier, and key into specific fields within the RevengeRAT builder, in which we will highlight in the following explanation of steps required to build the Trojan.

RevengeRAT is a publicly available RAT which is seen in high volume. It appears as though some users of this RAT have moved from following publicly available step-by-step guides to become a little more sophisticated in how they are leveraging alternative storage locations for C2 support, such as Pastebin. These technique changes may help the operators by hiding behind legitimate services that are likely not blocked by security devices.

3a8082e126