Recorded Future researchers found malicious base64-encoded PowerShell scripts sitting on a Pastebin page – placed there with the intention of infecting victims with the njRAT remote access trojan.
Recorded Future researchers found malicious base64-encoded PowerShell scripts sitting on a Pastebin page – placed there with the intention of infecting victims with the njRAT remote access trojan.

Hackers are encoding malicious PowerShell scripts in base64 and hiding them on plain-text upload sites such as Pastebin, according to a new research report and accompanying blog post by threat intelligence firm Recorded Future.

The report, published on Wednesday, was inspired by a Nov. 17 law-enforcement bulletin that warned of a nation-state threat group attacking public and private entities using techniques that incorporate spear phishing, PowerShell and base64.

“In this case the attacker works on the reasonable assumption that individuals working closely with technology are not restricted in their access to text-based resources, like paste sites and code repositories,” wrote blog post author Chris Pace, Recorded Future's marketing and content director for the EMEA region. “They also take advantage of the fact that security at the web layer may not be able to decode and identify that this program is malicious.”

Using its own threat intelligence analytical engine, Recorded Future scoured online code repositories, paste sites and criminal forums for references to malicious PowerShell scripts leveraging Base64. Sure enough, the company encountered numerous examples of the specific technique being employed in the wild.

In one uncovered scheme, a Saudi Arabia-based individual or group was found hiding a malicious PowerShell script on a Pastebin page that infected victims with the njRAT remote access trojan. In this scenario, the attacker first used compromised websites and phishing emails to infect victims with a downloader-type program. This “first-stage implant” would then retrieve a base64-encoded portable executable (PE) file from a Pastebin page. The PE file then would call back to Pastebin once more to collect its own payload; namely, njRAT.

This is a very clever attack in the way this was all… strung together,” said Levi Gundert, Recorded Future's VP of intelligence and strategy, who authored the report. “The key takeaway for defenders is… what is the next evolution of this going to look like and how are you going to detect it?”

The attacker in this example is not necessarily the threat group to which the aforementioned law-enforcement bulletin was referring.

If attackers and threat groups can use Pastebin pages to hide encoded scripts, there's no reason to think they can't do the same on mainstream online business sites and services such as Amazon Web Services  and Microsoft Office 365. “I would logically expect to see that in the very near future,” said Gundert.

In the course of the study, Recorded Future researchers also found examples of attackers hiding base64 encoded strings in web favicons and DNS TXT records – two additional techniques that law-enforcement authorities had warned about in the Nov. 17 bulletin.

While organizations are unlikely to block access to sites and services such like Pastebin, there are other ways to minimize the impact of these cyberthreats. In its report, Recorded Future recommends setting up alerts for instances when base64-encoded strings and Pastebin URIs are collectively detected on network traffic. Moreover, the report continues, organizations should maintain ongoing visibility into its memory and running processes, "and scripts... should produce alerts when they attempt common PowerShell attack command switches (i.e. “nop” and “exec bypass”, etc.), include base64 encoded strings, or attempt to fetch a file from a remote location."

Recorded Future also suggested group policy restrictions on PowerShell and mandatory, granular-level PowerShell logging on all hosts.