ahsonbol

Detecting KeyBase keylogger variants using Security Analytics

Blog Post created by ahsonbol on Jun 25, 2015

A couple of weeks ago, security researchers at Palo Alto blogged about a new keylogger malware family called KeyBase. According to Palo Alto blog, the keylogger could be purchased directly from its author for $50. Although it is quite unsophisticated, KeyBase remains a threat that spreads through phishing campaigns mainly targeting high tech, higher education and retail industry.


Once it runs on an infected host, the malware sends a notification to its C2 server. Time on the host and its name are sent in clear in the query string of the URL:


115465


For KeyBase variants C2 beaconing activity, filename and query string format are fixed. However, directory names vary from one server to another:

 

115466


Given all the network artifacts mentioned above and assuming the appropriate meta keys are enabled, an analyst can develop an app rule on RSA Security Analytics to detect the malicious traffic. The following query can be used:

          filename = 'post.php' && query begins 'type=' && client !exists


Scan results for a couple of KeyBase variants can be found on VirusTotal:

     SHA1: 6569a933f82c9ff8c06c2cfc70da0efd92d78a95
     SHA1:
ef0d13645fab775a21f00ffff5b587955884498c


Finally, all of the IOCs from those HTTP sessions were added to RSA FirstWatch Live feeds.

Outcomes