As originally reported by ZDNet, Palo Alto Network’s Unit 42 has identified a new second-stage execution method used by njRAT. This method involves the use of Pastebin.com, a free text storage platform, to host payloads that are then executed by the njRAT bot. While the format of the payloads are not all identical, they typically contain blobs of data to execute or URLs to open. With the shift to Pastebin payloads, the threat actors behind njRAT are probably trying to evade network-based detections by defenders, and avoid having to host payloads on servers that they have to maintain.
Pastebin.com is a site typically accessed through normal web browsers, so Binary Defense recommends using Endpoint Detection and Response (EDR) tools to monitor for processes initiating network connections to Pastebin.com and filter out all processes that are known web browsers. This can be an indicator of a potentially malicious process that should be investigated for any other signs of unusual child processes, other network connections, or scripts that are executed after the connection to Pastebin.com. Additionally, Binary Defense recommends investing in a 24/7 SOC solution like Binary Defense’s own Security Operations Task Force so that a team of analysts can monitor for threats like these and more, 24/7.