Research by Juniper Labs has uncovered several malware campaigns using a paste service called “Paste.nrecom.” Using a paste service such as Pastebin.com is nothing new for malware, though many tend to stick to the same few popular services. Paste.nrecom uses the open source project Strikked to power its platform which provides an API and advanced features including encrypted pastes. Juniper Labs was able to identify the following malware families downloading configuration from the paste service:
- Agent Tesla
- W3Cryptolocker Ransomware
- Redline Stealer
Using an obscure or lesser-known paste service may have been an attempt at staying under the radar when downloading further configuration or payloads by the listed malware families. As organizations become aware of new paste services like Pastebin (pastebin.com), Ghostbin (ghostbin.co) and now Paste.nrecom (paste.nrecom.net), consider blocking these services as most employees will not need them in their day to day work. If blocking them is not possible, consider monitoring and alerting on usage so that security teams can quickly identify when malware configurations or payloads are being downloaded.