- IN DELETED KEYBASE APP CHAT IMAGES SOFTWARE
- IN DELETED KEYBASE APP CHAT IMAGES CODE
- IN DELETED KEYBASE APP CHAT IMAGES SERIES
IN DELETED KEYBASE APP CHAT IMAGES CODE
References to this decompiled code were discovered in an old posting on, where the user ‘Ethereal’ provided sample code.įigure 14. This class is used to decrypt a number of strings found within the code. String obfuscation using reverseĪdditionally, the author makes use of an ‘Encryption’ class. String obfuscation using replaceįigure 12. Examples of this include replacing single characters that have been added to strings, as well as performing reverse operations on strings.įigure 11. The author makes use of a number of simple obfuscation techniques on various strings used within the code. Should a feature not be enabled, a function looks similar to the following: The various functions spawned in new threads may be inert based on options specified by the attacker during the build.
IN DELETED KEYBASE APP CHAT IMAGES SERIES
When the malware is initially executed, a series of threads are spawned. These facts allowed us to decompile the underlying code and identify key functionality and characteristics of the keylogger.įunctionality in KeyBase includes the following:
KeyBase itself is written in C# using the. As we can see in the following diagram, around 50 different command and control (C2) servers have been identified with up to as many as 50 unique samples connecting to a single C2.
IN DELETED KEYBASE APP CHAT IMAGES SOFTWARE
As the software can be easily purchased by anyone, this comes as no surprise. Overall, Unit 42 has seen a large number of separate campaigns using KeyBase. One such example of an email delivering KeyBase can be seen below. Some examples of attachment filenames can be seen below: This malware is primarily delivered via phishing emails using common lures. The targeted companies span the globe and are located in many countries.įigure 4. We can also quickly determine targeted industries using AutoFocus:įigure 3. Since February 2015, approximately 1,500 sessions carrying KeyBase have been captured by WildFire, as we can see below: Fully undetected scan-time and run-time (Later removed)įigure 1.In the forum post, the malware touts the following features: This activity is in-line with an initial posting made by a user with the handle ‘Support™’ announcing KeyBase on the forum on February 7, 2015. Shortly before then, the domain ‘keybasein’, was registered as a homepage and online store for the KeyBase keylogger. KeyBase was first observed in mid-February of 2015. Attacks have primarily targeted the high tech, higher education, and retail industries. In total, Palo Alto Networks AutoFocus threat intelligence service identified 295 unique samples over roughly 1,500 unique sessions in the past four months. It has been deployed in attacks against organizations across many industries and is predominantly delivered via phishing emails. The malware comes equipped with a variety of features and can be purchased for $50 directly from the author. In recent months, our team has been tracking a keylogger malware family named KeyBase that has been in the wild since February 2015.
0 kommentar(er)
