14 DAY TRIAL // Security researchers tracking an unsophisticated keylogger named KeyBase managed to catch a glimpse of the activity of a crook testing it, by accessing images captured from his/her machine uploaded on an improperly secured command and control (C&C) server.
KeyBase was released in early February and malware analysts from Palo Alto Networks’ Unit 42 have been on to it, tracing its presence in the wild and collecting data on the victims it made.
Keylogger is easy to detect
The malware can record keystrokes, content stored in the clipboard and take screenshots of the victim’s desktop; its author also advertises a user-friendly web panel, unicode support and password recovery, all for $50 / €45.
According to telemetry data, the keylogger has at least 295 unique samples and it was used to attack different companies across the world. The company says that about 1,500 sessions with KeyBase have been spotted since February, targeting entities mainly in high tech, higher education, and retail industries.
The researchers found that KeyBase communication with the C&C server is done without encryption or obfuscation of any kind and that the initial request from the malware lacks some HTTP headers, which allows easy detection of malicious activity.
Gleaning info on the cybercrook
Unit 42 researchers found that access to the “/image/Images/” path on the C&C machine, where all pictures captured from the compromised system are stored, is not protected in any way and could be accessed freely from the web.
Peeking inside, the researchers discovered that the keylogger operator tested the tool, as pictures from his/her desktop were present.
“While viewing the operator’s desktop, we can also see a number of other keyloggers, such as ‘HawkEye Keylogger’ and ‘Knight Logger’. Also of note is a popular crypter named ‘AegisCrypter’. Finally, we can also see that the user engages in piracy, as copies of both ‘The Hobbit’ and ‘Fury’ appear on the desktop as well,” say the researchers.
Based on a screenshot that captured communication via Facebook on a profile called “China Onyeali,” the crook is from Mbieri, Nigeria. The associated social network account has been reported to Facebook, but two profiles that appear to be connected are still active at the moment.
The examination of the images on the server revealed that the crook relies on Turbo-Mailer 2.7.10 to launch email campaigns distributing malware. The messages appear to be sent from a Windows Web Server 2008 R2 instance, to which the crook connected via remote desktop.
Poorly developed KeyBase registers increased usage
After taking a look at the code powering the C&C server, the researchers noticed that the “upload.php” file used for uploading data to the machine does not include validation of the items added; the bug can be exploited to take full control of the server.
A number of other flaws in KeyBase, such as simple obfuscation techniques on strings in the code and sending of data in plain text have also been observed by the researchers.
However, despite its faults, the keylogger is increasingly used in attacks, as per the information collected by the security company, especially since the beginning of May.
The malware reaches its victims via phishing emails claiming to deliver a financial document like an invoice of some sort.
