As originally reported by ZDNet, Palo Alto Network’s Unit 42 has identified a new second-stage execution method used by njRAT. This method involves the use of Pastebin.com, a free text storage platform, to host payloads that are then executed by the njRAT bot. While the format of the payloads are not all identical, they typically contain blobs of data to execute or URLs to open. With the shift to Pastebin payloads, the threat actors behind njRAT are probably trying to evade network-based detections by defenders, and avoid having to host payloads on servers that they have to maintain.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased