#Keybase keylogger software
Now the popularity of KeyBase is growing rapidly, and its vulnerability makes the software even more dangerous, experts say.
#Keybase keylogger Pc
The screenshots from the PC of unfortunate attackers show various scripts and software, mainly software for “script kiddies”. Those who use the keylogger now often infect their computers too. It also turned out that during the software testing period, attackers infected their own PCs, and these screenshots are still stored on the same accessible server. In the screenshots of the software, specialists saw data on bank accounts, invoices, the contents of e-mail boxes, social network accounts, drawings, financial documents, and much more. Most often infected systems that are related to production, transport and logistics, retail. Most of the infected systems are in India, China, South Korea and the United Arab Emirates. True, this is data from one of the waves of infection, information 8 months ago.
#Keybase keylogger windows
The remaining systems could not be identified, but a total of 933 Windows PCs are infected. 75 - personal systems, 134 used at work and at home. After analyzing them, it turned out that about 216 infected PCs were corporate machines.
Interestingly, the folder where screenshots are sent from the victims' computers is open, so the experts managed to get these images. But the work on improving the keylogger continues - no longer the author, but his followers create more and more new versions of the program, releasing thousands of different options. The number of victims of malware is not so great - at the moment they are infected with something around 933 Windows PCs. Now there are 295 versions of KeyBase, and the keylogger has leaked to the network, where they all began to use it. He himself quickly developed in the period when the attacker was working on the project. Nevertheless, the information security specialists mentioned above found almost all the data from an unprotected keylogger server. Then, researchers from Palo Alto were able to detect an unsecured server to which all information was sent from the computers of the keylogger victims.Īfter that, the malware author stopped software development and closed the site, through which KeyBase was sold at a price of $ 50. Malware was created in February 2015 and first appeared in June last year.
SHA1: ef0d13645fab775a21f00ffff5b587955884498cįinally, all of the IOCs from those HTTP sessions were added to RSA FirstWatch Live feeds.KeyBagger is a fairly simple malicious software that allows you to record keystrokes on the keyboard, send data from the victim's PC clipboard, and regularly take screenshots of the victim's desktop. Scan results for a couple of KeyBase variants can be found on VirusTotal: The following query can be used:įilename = 'post.php' & query begins 'type=' & client !exists Given all the network artifacts mentioned above and assuming the appropriate meta keys are enabled, an analyst can develop an app rule on RSA Security Analytics to detect the malicious traffic. However, directory names vary from one server to another: Time on the host and its name are sent in clear in the query string of the URL:įor KeyBase variants C2 beaconing activity, filename and query string format are fixed. Once it runs on an infected host, the malware sends a notification to its C2 server. Although it is quite unsophisticated, KeyBase remains a threat that spreads through phishing campaigns mainly targeting high tech, higher education and retail industry. According to Palo Alto blog, the keylogger could be purchased directly from its author for $50. A couple of weeks ago, security researchers at Palo Alto blogged about a new keylogger malware family called KeyBase.
0 kommentar(er)
