Detecting KeyBase keylogger variants using Security Analytics

Blog Post created by ahsonbol on Jun 25, 2015

A couple of weeks ago, security researchers at Palo Alto blogged about a new keylogger malware family called KeyBase. According to Palo Alto blog, the keylogger could be purchased directly from its author for $50. Although it is quite unsophisticated, KeyBase remains a threat that spreads through phishing campaigns mainly targeting high tech, higher education and retail industry.

Once it runs on an infected host, the malware sends a notification to its C2 server. Time on the host and its name are sent in clear in the query string of the URL:


For KeyBase variants C2 beaconing activity, filename and query string format are fixed. However, directory names vary from one server to another:



Given all the network artifacts mentioned above and assuming the appropriate meta keys are enabled, an analyst can develop an app rule on RSA Security Analytics to detect the malicious traffic. The following query can be used:

          filename = 'post.php' && query begins 'type=' && client !exists

Scan results for a couple of KeyBase variants can be found on VirusTotal:

     SHA1: 6569a933f82c9ff8c06c2cfc70da0efd92d78a95

Finally, all of the IOCs from those HTTP sessions were added to RSA FirstWatch Live feeds.