Malwares posing as legit Web Services to induce spear-phishing attacks

October 14, 2020
malware pose as legit web services spear phishing attacks cyber attack scheme campaign

Threat actors are continually evolving, always finding new ways to widen their reach into cyberspace. Only this time, they seemed to have turned over a new leaf – rethinking their practices, transforming themselves and their schemes into legitimate web-based services to further their malicious and fraudulent activities involving spear-phishing attacks.

With all the innovative ways these cybercriminals can develop, they have decided to adopt a familiar method – PasteBin. A rather famous code-hosting service or repository allows users to share plain texts of codes via their publicly available platform. Pastebin has become increasingly popular amongst developers and cybercriminals, with more than 17 million users regularly. Hackers can easily upload their payloads online and use them anytime they want. 


Just recently, several cybercriminal groups started to adopt a pastebin-like functionality in order to download malwares to be used in spear-phishing attacks.


Even ransomware groups have taken the opportunity and jumped into a similar service from a domain called paste(.)nrecom(.)net. This website has been around for several years already and has functions similar to Pastebin. It even has added features like open-source API for scripting. This component is highly valued by hackers for its wide array of tasks in systematically updating their data and codes. 

This service or method has been around for quite some time, but this is the first notable instance of using cybercriminals. Several security researchers have analyzed some of the repositories they found online and found the most common malware used by hackers and other threat actors. Among them – LimeRAT, W3C Ransomware/Cryptolocker, AgentTesla, and Redline Stealer. According to the researchers, the spear-phishing attack is initialized via email, of course, with an attachment included (.pdf, .zip, .exe). The intended recipient is then lured into opening the injected file rigged to download the malware from the repository directly without them knowing.  

From the list of the common malware being used, AgentTesla has been highlighted by security researchers as the one most used by hackers and threat actors. The malware has been used to target banks, healthcare companies, manufacturing firms, including government institutions. Like other spear-phishing attacks, AgentTesla is being summoned directly from the Pastebin-like repository, and once downloaded, it does the rest altogether.  

Other malware families have been used to target other industrial sectors, and like AgentTesla, they are all being summoned via their Pastebin-like locations. This method has become increasingly effective and efficient for threat actors and other cybercriminal groups because not only are they allowed to use the repository, it keeps their data and their payloads secure. And for them, this is a substantial tactical advantage. 

Security researchers have issued caution and stated that more and more threat actors will step on the bandwagon and use these legitimate services to further their malicious intents and activities with this newfound method. They mentioned that these repositories are not easy to take down because their services are deemed as legitimate. So, for now, we’ll have to think twice before clicking any links.  

About the author

Leave a Reply