Year: 2015

Posted on

KeyBase Keylogger Malware Family Exposed

In recent months, our team has been tracking a keylogger malware family named KeyBase that has been in the wild since February 2015. The malware comes equipped with a variety of features and can be purchased for $50 directly from the author. It has been deployed in attacks against organizations across many industries and is predominantly delivered via phishing emails.

In total, Palo Alto Networks AutoFocus threat intelligence service identified 295 unique samples over roughly 1,500 unique sessions in the past four months. Attacks have primarily targeted the high tech, higher education, and retail industries.

Malware Distribution and Targets

KeyBase was first observed in mid-February of 2015. Shortly before then, the domain ‘keybase[.]in’,  was registered as a homepage and online store for the KeyBase keylogger.

Domain Name:KEYBASE.IN
Created On:04-Feb-2015 08:27:44 UTC
Last Updated On:05-Apr-2015 19:20:38 UTC
Expiration Date:04-Feb-2016 08:27:44 UTC

This activity is in-line with an initial posting made by a user with the handle ‘Support™’ announcing KeyBase on the hackforums.net forum on February 7, 2015. In the forum post, the malware touts the following features:

  • Advanced Keylogger
  • Fully undetected scan-time and run-time (Later removed)
  • User-friendly web-panel
  • Unicode support
  • Password recovery

Figure 1. KeyBase posting on hackforums.net

Since February 2015, approximately 1,500 sessions carrying KeyBase have been captured by WildFire, as we can see below:

Figure 2. KeyBase timeline in AutoFocus

We can also quickly determine targeted industries using AutoFocus:

Figure 3. Targeted industries in AutoFocus

The targeted companies span the globe and are located in many countries.

Figure 4. Targeted countries in AutoFocus

This malware is primarily delivered via phishing emails using common lures. Some examples of attachment filenames can be seen below:

  • Purchase Order.exe
  • New Order.exe
  • Document 27895.scr
  • Payment document.exe
  • PO #7478.exe
  • Overdue Invoices.exe

One such example of an email delivering KeyBase can be seen below.

Figure 5. KeyBase phishing email

Overall, Unit 42 has seen a large number of separate campaigns using KeyBase. As the software can be easily purchased by anyone, this comes as no surprise. As we can see in the following diagram, around 50 different command and control (C2) servers have been identified with up to as many as 50 unique samples connecting to a single C2.

Figure 6. KeyBase campaign diagram

Malware Overview

KeyBase itself is written in C# using the .NET Framework. These facts allowed us to decompile the underlying code and identify key functionality and characteristics of the keylogger.

Figure 7. KeyBase logo

Functionality in KeyBase includes the following:

  • Display a website on startup
  • Screenshots
  • Download/Execute
  • Persistence
  • Kill Timer

When the malware is initially executed, a series of threads are spawned.

Figure 8. KeyBase main function

The various functions spawned in new threads may be inert based on options specified by the attacker during the build. Should a feature not be enabled, a function looks similar to the following:

Figure 9. Inert functions in KeyBase

Figure 10. KeyBase builder

The author makes use of a number of simple obfuscation techniques on various strings used within the code. Examples of this include replacing single characters that have been added to strings, as well as performing reverse operations on strings.

Figure 11. String obfuscation using replace

Figure 12. String obfuscation using reverse

Additionally, the author makes use of an ‘Encryption’ class. This class is used to decrypt a number of strings found within the code.

Figure 13. KeyBase Encryption class

References to this decompiled code were discovered in an old posting on hackforums.net, where the user ‘Ethereal’ provided sample code.

Figure 14. Encryption code posting on hackforums.net

We see the ‘DecryptText’ function used by the author when he/she dynamically loads a number of Microsoft Windows APIs.

Figure 15. Obfuscated API functions in KeyBase

The following Python code can be used to decrypt these strings.

Persistence

Persistence in KeyBase, should it be enabled, is achieved using two techniques—copying the malware to the startup folder or setting the Run registry key to autorun on startup. When KeyBase copies itself to the startup folder, it names itself ‘Important.exe.’ This is statically set by the author and cannot be changed by the user in the current version. The key used in the following Run registry key is set by the user, and is always a 32 byte hexadecimal value.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run [32 byte key] : [Path to Executable]

Keylogging

Keylogging in KeyBase is primarily accomplished in a separate class appropriately named ‘KeyHook.’ While the class shares a name with a publicly available repository on github, the class appears to be custom written. While custom, the class itself uses a very common technique of using the Microsoft Windows SetWindowsHookExA in order to hook the victim’s keyboard.

Figure 16. Hooking keyboard via SetWindowsHookExA

The author proceeds to handle appropriate keyboard events as expected.

Figure 17. Handling keyboard events

The class also has the ability to handle Unicode characters, as well as get the name of the foreground window. This allows the malware to not only identify what keys are being pressed, but what application said key presses are being sent to.

Command and Control (C2)

All communication with a remote server takes place via HTTP. Data is not encrypted or obfuscated in any way. Upon initial execution, KeyBase will perform an initial check-in to the remote server, as we can see below.

Figure 18. Initial KeyBase notification HTTP GET request

A number of HTTP headers are not included with the request. This provides a simple technique for flagging the activity as malicious. It is also important to note that it is fairly elementary to detect the activity using the hardcoded GET variables included in the request. While the victim machine name and the current time will vary, the remainder of the request will remain static.

KeyBase may also send the following data back to its C2 server:

  • Keystrokes
  • Clipboard
  • Screenshots

Examples of this data can be seen below.

Figure 19. KeyBase uploading clipboard data

Figure 20. KeyBase uploading keystroke data

During this communication with its C2 server, KeyBase will include the raw clipboard and keystroke log data using various GET parameters. This data is URI-encoded, but otherwise sent in the clear.

Finally, Keybase will also use a specific URI to upload screenshots. The path ‘/image/upload.php’ is hardcoded within the malware. All images sent back to its C2 server will be placed within the ‘/image/Images/’ path. Uploaded data is once again sent unencrypted, as we can see below.

Figure 21. KeyBase uploading screenshot image

Web Panel

The web panel itself does not provide any innovative characteristics. It uses a simple red/grey color scheme as seen below.

Figure 22. KeyBase web panel

The panel does allow the attacker to quickly view infected machines, keystrokes, screenshots, clipboard data, and password data. Unfortunately, the author of KeyBase does not make use of pagination, which results in poor performance in the event a large amount of data is being displayed to the attacker.

Interesting Discoveries

During the course of our research, Unit 42 discovered that no authentication was required when viewing the ‘/image/Images/’ path. One C2 server in particular stood out because it appeared the operator was testing KeyBase on his/her local machine. As such, screenshots of his machine were uploaded to his server and could be viewed by the general public. In the screenshot below, we can clearly see the ‘KeyBase v1.0’ folder. This folder almost certainly contains the KeyBase installation. While viewing the operator’s desktop, we can also see a number of other keyloggers, such as ‘HawkEye Keylogger’ and ‘Knight Logger’. Also of note is a popular crypter named ‘AegisCrypter’. Finally, we can also see that the user engages in piracy, as copies of both ‘The Hobbit’ and ‘Fury’ appear on the desktop as well.

Figure 23. KeyBase operator desktop screenshot

While continuing to examine the uploaded images, we also identify the user logging into a Windows Web Server 2008 R2 instance via remote desktop. This appears to be where the attacker is launching their spam campaigns using an instance of ‘Turbo-Mailer 2.7.10’. Unfortunately, it appears the operator had forgotten his/her username/password at this particular moment.

Figure 24. KeyBase operator sending phishing emails

Further examination of the uploaded screenshots shows activity of the user logging into his/her Facebook account. The user looks to be named ‘China Onyeali’ and is observed discussing some of his/her latest endeavors. Specifically, we see a link to a .rar file hosted on rghost[.]net containing the following file. We also see the operator discussing the HawkEye keylogger in another chat window. The operator’s Facebook page claims that he/she lives in Mbieri, Nigeria. We previously reported on Nigerian actors using off-the-shelf tools to attack business in our 419 Evolution report last July. This user has been reported to the Facebook security team.

Figure 25. KeyBase operator logged into Facebook

Further Interesting Discoveries

Other interesting discoveries were made while researching the backend C2 code. In particular, the upload.php file was examined and analyzed, as this file handles file uploads to the server. As we can see, there is no validation for the types of files uploaded to the remote server.

Figure 26. KeyBase screenshot upload PHP script

This poses an issue from a security perspective, as a third party can simply upload a PHP script to the ‘/image/Images/’ directory to gain unauthorized access. The following PHP code can be used to read the KeyBase ‘config.php’ script, which contains the username and password for the web panel.

Additionally, the following Python code can be used to upload this file and read the results.

Conclusion

Overall, this KeyBase malware is quite unsophisticated. It lacks a number of features available in some of the more popular malware families, and the C2 web panel contains security vulnerabilities that could allow a third party to gain unauthorized access. The builder for KeyBase provides an easy-to-use, user-friendly interface; however, a number of options are hardcoded into the malware itself. Some examples include the filename KeyBase uses when it is copied to maintain persistence, and various URI paths it uses during the command and control phase.

While this malware has some issues with sophistication, Unit 42 has observed a significant and continued rise in usage by attackers, generally targeting the high tech, higher education, and retail industries. Palo Alto Networks customers are protected via WildFire, which is able to detect KeyBase as malicious. Readers may also use the indicators provided to deploy protections.

For a list of sample hashes and their associated domains and IP addresses, please see the following link.

Unit42

[Palo Alto Networks Blog]

Posted on

Helping SMEs Thwart Cybercrime

The common perception among many in small and medium-sized enterprises (SMEs) is that cybercrime takes place only at large, multinational enterprises. Nothing could be further from the truth.

In fact, cybercriminals are aware of that perception and know that SMEs are easier targets. According to two new ISACA guides: Cybersecurity Guidance for Small and Medium-sized Enterprises andImplementing Cybersecurity Guidance for Small and Medium-sized Enterprises, another negative factor has been the cost and historically poor performance of cybersecurity programs.

These new guides are designed to help the typical SME achieve reasonable security at an affordable cost. They also help SMEs prepare for, and manage, typical cybersecurity issues, risks and threats.

Think of your cybersecurity strategy as the same one you would use to protect a private property. If the target is visibly protected and likely to offer resistance, most would-be attackers are likely to move on to the more vulnerable target.

Of course, no business enterprise can predict tomorrow’s cyber threat or attack—only the likelihood that they are lurking for the most vulnerable. However, even SMEs with limited resources can strengthen the enterprise from attacks if they adopt a sensible strategy.

Cyber security is a process and not an end result. SMEs need to continually improve their security programs to keep pace with technology and new risk and threats.

Cybersecurity Guidance for Small and Medium-sized Enterprises incorporates elements of continuous improvement toward increased sophistication. Implementing Cybersecurity Guidance for Small and Medium-sized Enterprises is a companion publication to this Cybersecurity Guidance and is available to users of the guidance. It provides practical advice on how to implement cybersecurity governance, risk management, assurance and compliance using the Cybersecurity Guidance for SMEs and its COBIT 5 foundation.

Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, FACS CP
Director of information security and IT assurance at BRM Holdich

[ISACA]

Posted on

An Innovative Approach to Identity Management Seen

In the future, more keys may be the answer to protecting your personal data. We need to separate a person’s persona from their online profile information. What is needed is a second key, a data key, to ensure the privacy and control of your online data. Banking online, LinkedIn and Facebook would all require this data key.

The US federal initiatives on stronger identities—the National Strategy for Trusted Identities in Cyberspace (NSTIC)—are helping individuals and organizations to develop secure and easy-to-use identity credentials to access online services in a manner that supports an innovative approach in protecting information and greater privacy. I support the notion of a federated identity that has been evolving from the idea of a user-centric “identity ecosystem.” The mechanism to create a method to obtain and authenticate digital identities is necessary to create an online environment where there is a trust between individuals and organizations.

Biometrics
Biometrics will probably play a part and that will certainly have a privacy impact. Part of it will be a demographic issue with those over age 65 having nothing to hide and those younger not necessarily caring that much and having little concern about accountability. It is the middle group, those between late 20s and 60 who view their privacy as valuable. Mobile applications are another area of concern. You have to allow cookies to have your applications work, even for banking. The user agreement terms and conditions on a mobile device throw your privacy out of the window. Most people, such as Tweeners, are more interested in convenience than their security, so it will take something catastrophic to move their needle from convenience to security. People want information at their convenience, but advertisers want to inundate them with a continuous stream of advertising. The consumer should be allowed to turn off that information stream. Privacy will be the key in the long term.

Internet Service Providers (ISP)
One area of improvement that could be made is in making ISPs accountable for bad actors in their environment. ISPs should be given a freer hand in regulating people using their networks. There needs to be more accountability. If you are an Internet offender, there should be a three-strike rule that is adjudicated by a board to take access away from repeat offenders.

Quality of Software
The market should regulate software quality, but it does not seem to be working. Competition is also an issue. Where you have a few dominant players such as Microsoft and Oracle—how can you compete when they have so much of the market share? There has to be a balance between quality and security just as there has to be a balance between security and convenience.

How to Build a Solid Organizational Staff
When building a staff, I recommend hiring well-rounded individuals. I have had better success getting people who are organizationally focused rather than taking security people and indoctrinating them into the business of the organization. I always begin my search within the company, someone who knows what is important to the organization. The key is that the person knows what the value of the data are to the organization. I prefer to find professionals who invest in themselves on their own dime, paid their way to a technology show so that they understand where the technology fits within the organization in the next five to 10 years—that is part of growing your workforce.

Changing Role for the CISO
I see the role of the chief information security officer (CISO) changing to that of a chief privacy officer or a chief digital officer. There is always contention between meeting the needs of the masses rather than the outliers, but you first have to address the masses needs before the outliers. Still, outliers cannot be ignored; otherwise they will be your problem. CISOs have to be broad-based and business and technology focused. They have a difficult position because they have to become all things to all people.

Education is the key to the future. Our society wants instant gratification and the security professional has to find a way to balance security, privacy and convenience.

Chuck McGann
Chief Cyber Strategist, CRGT

[ISACA]

Posted on

CISSP: A Global Force at 100,000 Strong


Whenever we look toward the future, we have to first look back and think about where we came from. Back in 1989, (ISC)² was established by a handful of passionate volunteers who wanted to create a set of standards for a newer concept, not yet a full-fledged career field, called information security. In the minds of these volunteers, having the initial 500 applicants sign up to take the Certified Information Systems Security Professional (CISSP®) was considered quite a success. Little did they imagine that 26 years later, not only would those 500 applicants grow to a cadre of 100,000 CISSP credential holders across more than 160 countries, further, the CISSP would also become recognized as the standard certification for the information security industry.

(ISC)² was honored to be named ‘Best Professional Certification Program’ for the CISSP by SC Magazine US for the second year in a row, marking our fourth total SC Magazine Award for CISSP. And we’ve been named a finalist for the first ‘Best Professional Training or Certification Programme’ SC Magazine Award UK for CISSP. Those results are to be announced June 2.

As an organization, we certainly aren’t resting on our laurels, satisfied that the CISSP has “arrived.” We continue to actively maintain and enhance the credential, while also focusing on developing and raising awareness for our other credentials. A perfect example of this commitment occurred last month when we refreshed the domains of the SSCP and CISSP to ensure that the examinations and subsequent continuing professional education requirements encompass the topic areas relevant to the roles and responsibilities of today’s practicing information security professionals. We have an obligation to the (ISC)² membership and the industry to maintain the relevancy of our credentials.

Refreshed technical content has also been added to the Official (ISC)² CISSP CBK to reflect the most current topics in the information security industry today. Some topics have been expanded (e.g., asset security, security assessment and testing), while other topics have been realigned under different domains. The result is an exam that most accurately reflects the technical and managerial competence required from an experienced information security professional to effectively design, engineer, implement and manage an organization’s information security program within an ever-changing security landscape.

While we recognize this milestone achievement of 100,000 certified members and look toward the future of the CISSP within the industry, we also need to take into account that (ISC)² has an entire suite of credentials that encompass a holistic, programmatic approach to information security. The CISSP has a 25+ year history and is our most recognized credential; however, it is not necessarily the most appropriate certification for every security professional. (ISC)² has a portfolio of credentials appropriate for the entire security team comprised of information security professionals, software security professionals, IT practitioners, authorization professionals and those specializing in healthcare, forensics and cloud security. For those just starting in the field, we also offer an Associate of (ISC)² program.

As executive director, I’m committed to advancing our vision to inspire a safe and secure cyber world. Hopefully that vision is getting closer to becoming reality with our global force of 100,000 CISSPs and growing. I thank all of the current CISSPs for the great work they’re doing and wish the best of luck to aspiring CISSPs. Keep fighting the good fight.

David Shearer, CISSP, PMP, Executive Director, (ISC)²

[(ISC)² Blog]

Posted on

Palo Alto Networks Acquires CirroSecure

I’m excited to announce the acquisition of CirroSecure and with it the expansion of our platform’s ability to safely enable the applications that form the backbone of today’s businesses.

Increasingly organizations are turning to SaaS applications such as Box, Dropbox, or salesforce.com that are highly collaborative in nature, yet often store some of an organization’s most sensitive data.  Securing these sanctioned applications requires a new level of visibility and control that, up to this point, hasn’t existed within the industry.  Ultimately organizations must have the ability to peer deep into the application, tracking usage at a granular enough level to allow for more effective control.  This control must allow for better management of access privileges and data sharing, from both corporate and personal devices. 

The addition of the CirroSecure technology to the Palo Alto Networks Enterprise Security Platform provides organizations with this necessary functionality by extending visibility down to the individual file, folder and user that’s operating within the SaaS application.  The CirroSecure technology then applies deep analytics into the day-to-day usage in order to quickly determine if there are any DLP or compliance-related policy violations.  Then, through use of granular context-aware policies, violations can trigger an immediate response such as the quarantine of a user or data.  This complete visibility, coupled with granular policy controls, moves organizations from a position of speculation to one of knowing exactly what’s happening to its sensitive SaaS application data at any given point in time, while automatically responding to contain or eliminate risks.

This innovative technology will be available the second half of 2015 via a new Palo Alto Networks service.  Over the course of the next few months we’ll share more detail with regards to future strategy, product features, and demonstrations.  If you’d like these periodic updates, make sure to visit our announcement page at go.paloaltonetworks.com/saassecurity and sign up for automated updates.

Scott Gainey

[Palo Alto Networks Blog]

English
English
Exit mobile version