![]() Screenshots are taken periodically and uploaded to the server. Figure 4 shows the version information of the embedded utilities.įigure 4: Version information of the embedded utilities. In this example the email stealer is stored as a resource called 'Recovermail'. ![]() ![]() The Nirsoft utilities are stored in encrypted form (using the AES algorithm) and extracted and executed on the fly when needed, as shown in Figure 3.įigure 3: The Nirsoft utilities are stored in encrypted form and extracted and executed on the fly. This functionality is outsourced using the MailPassView and WebBrowserPassView utilities from Nirsoft – as in most other contemporary credential stealers (e.g. Password stealing is not an original development in the product. Passwords are stolen from a long list of applications which include the most popular web browsers and email clients.įigure 2: Passwords are stolen from a long list of applications. Aside from stealing credentials from all popular web browsers and email clients, KeyBase is also capable of storing keystrokes and clipboard content, and screenshots can also be created with it. KeyBase is more than just a simple keylogger, it is a complete credential stealing suite. The Wayback Machine web archive stores earlier versions of the site, which give us some hints about the capabilities of the tool. Even now (at the time of writing: June 2016) we are seeing new instances being distributed. This move hasn't stopped the criminals from using the keylogger in their campaigns though. However, the project has been shut down due to its increased use by criminals.įigure 1: The project has been shut down. The original homepage of the product was (note that, despite the fact that the URL differs only by one character, it is not related in any way to the popular public key store keybase.io). it is sold for money, which does not necessarily means that it is legitimate). Additionally, we will look at an example of when this trojan was used. In this paper we provide an overview of KeyBase, both the keylogger itself and the server-side management component. Its significance is being recognized, and recently Team Cymru started tracking KeyBase C&C activity. One of the incidents related to the KeyBase trojan was described in, while a very detailed and extensive listing of incidents was published in. A detailed description of these Office kits can be found in. In fact, we have seen evidence that all of the Office exploit kits (MWI, AK-1, AK-2, DL-1 and DL-2) have been used to distribute it. KeyBase is a trending payload in several of today's malware groups.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |