Figure 2: Alternative C&C server address hosted on Pastebin.com

One of the challenges that adversaries need to deal with is how to maintain a sustainable C&C infrastructure without being quickly denylisted by enterprise security solutions, or being frequently shut down by ISPs and hosting services following law enforcement and security vendors’ abuse reports.

Many of these adversaries use “bullet-proof” hosting services, however, a more sophisticated approach that attackers are now using is public file hosting services like Dropbox.com and Pastebin.com, which cannot be easily denylisted or taken down. This technique also allows the attacker to update the address of the C&C server whenever they need to.

Note: At the time we were writing this article, the C&C servers of the botnet stopped being accessible, making all newly infected bots idle, polling for the “Patebin.com” page. However, the attacker could update the page at any time to a new C&C server that could take control over the botnet again.

Being exposed as a public Pastebin.com resource allowed us also to discover more information about this operation. It seems to have been running since at least August of this year because the username “WHATHAPPEN” created the resource on Aug. 21, 2017. At the time we were writing this article, this resource had been viewed 177,987 times, however, because we learned that the same bot might continue to periodically ask this resource if the C&C server is down, we could not determine that this number represents the size of this botnet. This number is climbing by about 1,000 a day.