PasteBin Script Leads to RAT Malware

Malwares are distributed using several techniques and with different forms. New unusual delivery method were reported recently by Malwarebytes security researchers. The attack will start by cracked version of VMWare.exe file.

Upon executing the VMWare installation file the host will connect to specific Pastebin page that include a Visual Basic script to download and run another file named Tempwinlogon.exe. This exe will be placed in C:\Users\{username}\AppData\Local\Tempwinlogon.exe (on a system running Windows 7). The Tempwinlogon will run a Trojan called Bladabindi an njRAT program allow cyber-criminal a full control on victim machine.


pastebin page with the VB script sourced malwarebytes

The malware will keep running a malicious process called Tr.exe if the victim will kill the process using the Task manager he will get BSOD. This is a function added on the RAT by attacker so the he will have the OS crashed and reboot the system to run the process again.



As you can see that the attack is varied and hard to detect. It starts by executing a cracked software that contain no malware but it make the host connect to pastebin and download the required malicious file.