Security Alerts Paste.nrecom[.]net used in multiple phishing campaigns

Tuesday, Oct 6, 2020

Multiple malware campaigns have been identified using the “paste.nrecom[.]net” web service to deploy malware variants such as AgentTesla, LimeRAT, W3Cryptolocker, and Redline Stealer to the potential victims. Paste.nrecom is a web service where users can post code or text data with the intent to share it with others. The recently observed campaigns initially start through phishing emails that include an attachment, such as a document, archive, or an executable file. Once the victim opens the attachment, it will then download and install the malware variants onto the victim’s device using “paste.nrecom[.]net.”

This campaign was identified after researchers observed malware variants that are being downloaded via paste.nrecom. One of the malware variants, AgentTesla, is known to target multiple industries related to shipping, supply chains and banks, and uses phishing emails that contain archive attachments, such as .iso, .rar or .uue. The LimeRAT operators have also utilized the web service to download their malware onto targeted systems. A new ransomware variant that surfaced in July 2020, tracked as “W3Cryptolocker,” was observed using a loader that was hosted on a potentially compromised site, identified as “italake[.]com.” Once executed, W3Cryptolocker will encrypt the victim’s files and then create a “Read_Me.txt” file on each folder that contains a ransom note. Additionally, Redline Stealer, a malware that surfaced around March 2020 and is reported to have targeted healthcare and manufacturing industries in the United States, was observed using a Bitcoin miner that archived into a RAR file that contains a “MinerBitcoin.exe. ”

It is recommended that users monitor web services, including paste.nrecom, for suspicious content particularly binary data encoded in base 64. It is also recommended to verify the legitimacy of the recipient before clicking and downloading files, links, or documents that have been provided by unknown recipients.

The following indicators of compromise have been identified with this campaign:

Hashes:
8aaea85bfddaea3ec7217b5f2fa10daf0ca359f5228c3119185e7af281b42e2b
d38feef0723f730c8bb5704b4b45c8c0c324b1718b42e80b98244a7e49844331
3cc7000f6f2bf315a4fc3fb0ef9035f8683d4660648e23cb178656eae79b2dc5
62fa4dea77f33cfe294110457af90d2ccd0fc32f3d37c9ddf7a0457ed8f315ee
5d4b172afd897db7dddf983697c620cb1dde6341380b849f81f7606ae2073093
3a845e095d227f6318cb0dc973c5ecd2a74555435fcd735b71cd30d4a862c39c
435f9c7e3e74fa789f423e1a3c794fc8347414495a46de36e82de0e10cc0cf38
f1b40766fbaeb0248b3e629b1904156e3966d2b862d030a8218236904e8cd32f
28b5ab14ad007650aa5e45f5090119a758eb45f893e400e53e5ea13ac2e5b38e
c8abcedb3ec20f7ab5d9b98cc32f03b318eba61f344e0537e4d4de673422c6b1
1a8573f9acba3f7d8863043223fb1d6ef4b52ad5bb4cdcb5e178e935b25b40e3
d58b9d22310bf486e4301ed93191810f07cf06ca42b5252e4ded1537680579b6
afb7a097cebd29157285861e7bac37648c92243143b560772e652fa87b8aed6b
3d9e5f07897b3089600b123a50a005eab5051640661dc4575c2afc0391c97ad8
9c0b50ba7ea383bf16b25ea12a830d5c63c5c995ab2f494dc270137ecfd31701
3db65b267a1e41ebb307b706f561866dce2752041f482abe93f73144df9a1d4d
29f7eb242d7ddcaacfaac36f036081abc28ba48faaaf9fca601725a6ed160637
3e292943cacc062b57a2b1e88340a2d0641e901470f385168b671c90eaf70e2a
a533b2ceae875b9e14a1980d31fcd0243ef88a66371d6bcfbde7e423e0c2b610
fc4b29f54e0b3ed0493ba85310a2665ab47e5143f3cb3ce09686f0560dd1ed04
49add5e8057e45261291d45a67b60d0db5376efe9ba6873af53fc79f27243e43
a78cce9dc644987d3404335cefeca9833ea5f69a36b2da05e5a86505c862d867
4f31265917db7d9abbdf4b6378da0822158cc9b4bff1904adad63a87cfa82f2e
e7edc16f528c9cf0455d84f412520786f31aae8f67f3f551671f576727d1d141
5946308eb0248dd65c6ddc199f8bf69576b7e1dc95eb28822a265fecb1e56c86
9db25a250975ebce56643b75440c64705b0ecc1207d5a3d92b8f3d6060af3551
ede98ae4e8afea093eae316388825527658807489e5559bff6dbf5bc5b554a2c
cf2dfce39e8f0eb5af3a9d51b5559e2c9be27ea5c1ef899e76281a0ee530307f
99121c7c11bb444912d02000ce2e8a39b3e885d66889547ec8fb0c88906c22f4
b50d4fd8b572c3a13c4997c83e0bbbc3f7a270e75b79ec09512142f5560f61ab
f52802d87fdaca4cc9c0ef7a6b1352163e3679272752d8ea3e7a681de99dfd43
7fe854ce78e7ab7cafcc299b4f2a4ee82cc366d47f9a8961727365e45688bb4c
022d911560f38d5165ea4196ac74a141531d3e244cdc9be895e539f7143a7bbb
27f8e739b62c685c4115f49ae146bb75271d0b8fad021436939735bf7492186b
878bc771d4c7416170ff358db124e1608f5612b8998199a95c5d60d8f940b26e
0374033592ba3bfa76d5046af2eaf4506166b157aae2c5a396c827b36d4738ca
dd16f5efc0cdb995aa3f7822016ae1e2a4708d5b8b5b4a2f6477f5ef5b82e205
9b876e4ddeaf0d950860db4942d9be1507453ba1065a03672de41dfb287b2511
ac97cd95119446e96dd0bc35a4b9dc67f4ef2853e298dc145c7588807022d808
39ba64584fb99652e9d2c05b4afdf139317f5f2a052611b989257047cc12db74
6462c93c7a2cbad27bd1cd418bed36078860fd7f1399b477991fe3c71c0d7a8c
b7b028faf0caeca7b7f21de532299867e142fb043d31f996c5f5a3535dea4a47
1089bd2bc482573fc05dbea6a3c195802accedcd9ad74c6e4125a7a035c021be
bc2e03ca292da305602c8755453fa87073810a6359f2ec9a0935fe3bb51ef886
cb6c181823fd61558c1e6cefa9f1634d1676984316caa071c24268df493d3629
2b2da9baef3c6f18ac4c4340b3107359f1113ee8ea3c097835c24546f1a3f11f
3d3ab28f09d5736fcd2215fb6395e7b15e6e9f1f86931b1d3d956c70879e9d33
52f124a478c562251459cacc60b7afa952a8c02df7342c1a951502307ba7b33f
444d5257fc696b234af3311abf6985a41e6e60c66dc92dab0903cbc60156f398
c8ccf5c24239360035df47fef44703d7775346dbf7b1afcf78af6250b8876521
8d804533708c03ed4236be70e113a419ce1c8d8a5c36baa755cb7b787f29f54f
b4e0b3b783072b5266988f11bd5af2235b432619a42466fea81a35cb5edc4eea
63cd03b7e7013b0a7bac695d4fb9b5c5c7e9c556eb6eab0a9ec359049fb2621c
dcbfc3cecf75ec77de3ac314ca911af1d778e5c432df4cda146c02aa9ae84c47
f638dcb163a2568b12a9ea757335a0cc432bee92c15c77c5e80a294ad31bd792
13b630c5c157585f6abcb2fc8e3388c23a09f881c20cdeaffda291fb36a37539
1e4b7d7868d25071db67da87392fd5dafab344a9fa6dc040f7afb0699152fc13
9c38ab9d806417e89e3c035740421977f92a15c12f9fa776ac9665a1879e5f67
682fdd0b1a94ea8f92981fd6b697a5c4ff817ff6e838285655ede39107ca9ade
6e960e703df3fdea6667d9c5b671e3efc05c692eb6875edc74c5ccc8ade52ac7
f8ef2da125ebd0f972969d12f28964a00954bad6e4f804bd1db8c0507e751bc9
59bf368c532ca20de17fdaaee2160451ae8c8f7cafd8d3c7adb263dd0978e918
20ad344d20337f8a782135e59bc1f6e1a7999bcddc50fc1dc3b8b6645abcb91e
518096f15c73866783c6e10fbc9b694c41391ee6b0b3b4608ff24c3f457e21fd
e3065a6f8e49ccda273bf283c18b9344cc9ad802c1065b0fdf45cdafe92d1029
e5eab76057ff57592284f3ea66db174032c69b1808dee70c081e03771d521545
6194207c32a23bac956afb47f857ebcdcb3aa37e818907e98b27acaf4b83d60f
115127b50a0f45aabb993f8ffd5b585e063a98a17e1b687036167409cf2b0ac2
94b9c9154a23db8df436f4cdda225d9bd28dfae325dfe68e034462d70245fb0e
41502bc411135eb896c8a8aa7aa337ae437977473bd329ac1d0ccfa639ec4e2c
398a9031f8f0eeb85169aa06340a39230beac02dc1a2a004280a1528576197ad
337f28a9250592d0ebc58f5a913114df82e69ef4c44243191204adfa61f9819b
23528e75315abed2f7a86fad26036ef1626311c3838153cb8a96bd938f0055ac
4f0bc389fcd575a732907732c223219ab0ad44571ca6f83f99358bb9e7467839
b9e094892d6ed3b3eba5b56416d31b5ea635cf666ddf67ff4eb62475db7371ca
904453d980dceca169497cb717731b046bbbb8c6700b90dbe46dc35c15a8fff2
3c940fdf850d0e6211b340564357094fa8ddb81351789bfd43465efa2e52acfd
cb1da05bac46d1aeb0eeec67b2249aa8f539784c4a9ff9245b4ed4a8937ccd0f
34a5905fd12478a0ac253f5fb1fb8e32543ea070ef3d1f84ed5e448475f385cb
0e044c8570122a280c963cac80e0140da78ee0d378cd17cab4ea6f146ce35d15
a7f337587cdd0e9a1fb013da274293d207815843f778c714e75693cd2c8e5f11
f679912dbe6576989cd541b866f5f3a7a2423b1a6f92cc189a12fbffc42b926d
4784f1dbfcafcef10bdfd6c2021b1e74a826917715fd84a91f610a8b6a3bdc4f

URLs:
hxxp://198.12.66[.]108/v.exe
hxxps://paste.nrecom[.]net/view/raw/6550c073
hxxps://paste.nrecom[.]net/view/raw/3066146f
hxxps://paste.nrecom[.]net/view/raw/6306a51c
hxxps://paste.nrecom[.]net/view/raw/39468747
hxxps://paste.nrecom[.]net/view/raw/bebcab0a
hxxps://paste.nrecom[.]net/view/raw/04fba6cb
hxxps://paste.nrecom[.]net/view/raw/3529ec57
hxxps://paste.nrecom[.]net/view/raw/4f789f73
hxxp://lol.thezone[.]vip/v.exe
hxxps://paste.nrecom[.]net/view/raw/c230a816
hxxps://paste.nrecom[.]net/view/raw/7f41da66
hxxps://paste.nrecom[.]net/view/raw/bfefa179
hxxps://paste.nrecom[.]net/view/raw/aec14685
hxxps://paste.nrecom[.]net/view/raw/0d9233c8
hxxps://paste.nrecom[.]net/view/raw/c7dfc858
hxxps://paste.nrecom[.]net/view/raw/b44fe71a
hxxp://italake[.]com/assets/css/0022.exe
hxxps://paste.nrecom[.]net/view/raw/91aec4e7
hxxps://paste.nrecom[.]net/view/raw/7900ed08
hxxps://paste.nrecom[.]net/view/raw/bd63e76f
hxxps://paste.nrecom[.]net/view/raw/019f27dd
hxxps://paste.nrecom[.]net/view/raw/93a7cd20
hxxps://paste.nrecom[.]net/view/raw/d8aedaf6
hxxps://paste.nrecom[.]net/view/raw/4736837b
hxxps://paste.nrecom[.]net/view/raw/bfbb1544
hxxps://paste.nrecom[.]net/view/raw/3c3ececf
hxxps://paste.nrecom[.]net/view/raw/658b9281

Domains:
lol[.]thezone[.]vip
italake[.]com
paste[.]nrecom[.]net