Ahmed Sonbol

Malspam delivers Keybase keylogger 2-11-2017

Blog Post created by Ahmed Sonbol Employee on Feb 15, 2018

Malspam activity was observed on February 11th delivering a Keybase variant. The keylogger was first reported by security researchers at Palo Alto Networks in 2015. FirstWatch previously blogged about how to detect it using RSA NetWitness.


The delivery document is crafted to exploit CVE-2017-8759 in Microsoft Office. CVE-2017-8759 is a SOAP WSDL parser code injection vulnerability. FirstWatch dug deeper into that vulnerability in a previous threat advisory.


Upon opening the RTF document with an un-patched Microsoft Word, the user is presented with an empty page:



In the background there is an HTTP request over SSL to a[.]pomfe[.]co :





Next comes the request to retrieve an HTA script from bahyt-krim[.]ru :




Then an executable ziraat_bobby.exe; a Keybase variant; is downloaded from the same domain:





Once the download is complete, the binary executes and it starts to exfiltrate data in the query strings of successive HTTP GET requests to ziraat-helpdesk[.]com:





Post infection HTTP sessions were tagged with keybase malware in NetWitness Packets:



Here is the analysis report from hybrid-analysis.com


It is worth mentioning that the delivery domain bahyt-krim[.]ru has been active over the past couple of days:



Delivery document (SHA256):

  • 4487cb74d5524d57eb0859bdda34fd9ba7f426fd0867e8826ac2e8c787052848


ziraat_bobby.exe (SHA256):

  • df48d1ef1d11b4b5bbc92f52de489935ffb9e36ff226b9ac0a7f5c899b9f1db1