![Eon timer 2.0 beta](https://loka.nahovitsyn.com/129.jpg)
![keybase keylogger keybase keylogger](https://news-cdn.softpedia.com/images/news2/keybase-keylogger-usage-explodes-after-being-leaked-online-500983-9.png)
- Keybase keylogger software#
- Keybase keylogger code#
- Keybase keylogger series#
- Keybase keylogger windows#
When KeyBase copies itself to the startup folder, it names itself ‘Important.exe.’ This is statically set by the author and cannot be changed by the user in the current version.
![keybase keylogger keybase keylogger](https://stewilliams.com/wp-content/plugins/rss-poster/cache/27b9c_07-pah-com-surr-640.png)
Persistence in KeyBase, should it be enabled, is achieved using two techniques-copying the malware to the startup folder or setting the Run registry key to autorun on startup. Print "Decoded: %25s | Encoded: %s" % ( dec ( s, key ), repr ( s )) Out += chr ( ord ( s ) - ord ( key ) - ord ( str )) Print "Decoded: %25s | Encoded: %s" % (dec(s, key), repr(s))
Keybase keylogger code#
The following Python code can be used to decrypt these strings.
Keybase keylogger windows#
We see the ‘DecryptText’ function used by the author when he/she dynamically loads a number of Microsoft Windows APIs.įigure 15. References to this decompiled code were discovered in an old posting on, where the user ‘Ethereal’ provided sample code.įigure 14. This class is used to decrypt a number of strings found within the code. String obfuscation using reverseĪdditionally, the author makes use of an ‘Encryption’ class.
![keybase keylogger keybase keylogger](https://unit42.paloaltonetworks.com/wp-content/uploads/2015/06/hack-figure-2.png)
String obfuscation using replaceįigure 12. Examples of this include replacing single characters that have been added to strings, as well as performing reverse operations on strings.įigure 11. The author makes use of a number of simple obfuscation techniques on various strings used within the code. Should a feature not be enabled, a function looks similar to the following: The various functions spawned in new threads may be inert based on options specified by the attacker during the build.
Keybase keylogger series#
When the malware is initially executed, a series of threads are spawned. These facts allowed us to decompile the underlying code and identify key functionality and characteristics of the keylogger.įunctionality in KeyBase includes the following: KeyBase itself is written in C# using the. As we can see in the following diagram, around 50 different command and control (C2) servers have been identified with up to as many as 50 unique samples connecting to a single C2.
Keybase keylogger software#
As the software can be easily purchased by anyone, this comes as no surprise. Overall, Unit 42 has seen a large number of separate campaigns using KeyBase. One such example of an email delivering KeyBase can be seen below. Some examples of attachment filenames can be seen below: This malware is primarily delivered via phishing emails using common lures. The targeted companies span the globe and are located in many countries.įigure 4.
![keybase keylogger keybase keylogger](https://news-cdn.softpedia.com/images/news2/keybase-keylogger-shuts-down-author-says-he-ll-help-police-investigations-506376-10.png)
We can also quickly determine targeted industries using AutoFocus:įigure 3. Since February 2015, approximately 1,500 sessions carrying KeyBase have been captured by WildFire, as we can see below: Fully undetected scan-time and run-time (Later removed)įigure 1.In the forum post, the malware touts the following features: This activity is in-line with an initial posting made by a user with the handle ‘Support™’ announcing KeyBase on the forum on February 7, 2015. Shortly before then, the domain ‘keybasein’, was registered as a homepage and online store for the KeyBase keylogger. KeyBase was first observed in mid-February of 2015. Attacks have primarily targeted the high tech, higher education, and retail industries. In total, Palo Alto Networks AutoFocus threat intelligence service identified 295 unique samples over roughly 1,500 unique sessions in the past four months. It has been deployed in attacks against organizations across many industries and is predominantly delivered via phishing emails. The malware comes equipped with a variety of features and can be purchased for $50 directly from the author. In recent months, our team has been tracking a keylogger malware family named KeyBase that has been in the wild since February 2015.
![Eon timer 2.0 beta](https://loka.nahovitsyn.com/129.jpg)