How are they using it?
Paste[.]nrecom is a text-only service that started in May 2014, and it is the first time that attackers have started exploiting it. Attackers encode binary data to represent it as a text file, making it harder for security bodies to take down.
From mid-September, several malware families including AgentTesla, LimeRAT, W3Cryptolocker, and Redline Stealer have started taking advantage of paste[.]nrecom[.]net service that offers an API and allows scripting.
Attackers are sending phishing emails that trick a user into executing the malware. Subsequently, it downloads next stage malware from paste[.]nrecom.net to load into memory without writing to disk.
Using such legitimate service is very beneficial for attackers, as they can easily insert and update data in an automated way.
Recent Attacks
Besides using new techniques, AgentTesla has been actively used by cybercriminals for various campaigns in recent few months.
Last month, a malware gang identified as Epic Manchego used a .NET library to create malicious Excel files that delivered malware such as Azorult, AgentTesla, Formbook, Matiex, and njRat.
In August, newer variants of Agent Tesla trojan were targeting popular web browsers, VPN software, FTP, and email clients.
Conclusion
Cybercriminals have started using Pastebin-like services for certain advantages it gives to them, such as evading ..
Support the originator by clicking the read the rest link below.