Most of the keyloggers we see today support multiple submission methods for stolen data these are usually email, FTP and web upload. In most cases the screenshot feature is turned off, which is probably to save disk space on the server side – KeyBase can easily create thousands of screenshots, which consume several gigabytes of disk space.Īs shown in Figure 6, the uploading of clipboard content is configurable, and a self-destruct date can even be specified for time-limited operations (see Figure 7).įigure 7: A self-destruction date can be specified for time‑limited operations. It is even possible, using the InstaLogging feature, to specify which applications trigger the screenshot (see Figure 5).įigure 5: The InstaLogging feature specifies which applications trigger the screenshot. Screenshots are taken periodically and uploaded to the server. Figure 4 shows the version information of the embedded utilities.įigure 4: Version information of the embedded utilities. In this example the email stealer is stored as a resource called 'Recovermail'.
The Nirsoft utilities are stored in encrypted form (using the AES algorithm) and extracted and executed on the fly when needed, as shown in Figure 3.įigure 3: The Nirsoft utilities are stored in encrypted form and extracted and executed on the fly. This functionality is outsourced using the MailPassView and WebBrowserPassView utilities from Nirsoft – as in most other contemporary credential stealers (e.g.
KEYBASE KEYLOGGER PASSWORD
Password stealing is not an original development in the product. Passwords are stolen from a long list of applications which include the most popular web browsers and email clients.įigure 2: Passwords are stolen from a long list of applications. Aside from stealing credentials from all popular web browsers and email clients, KeyBase is also capable of storing keystrokes and clipboard content, and screenshots can also be created with it. KeyBase is more than just a simple keylogger, it is a complete credential stealing suite.
KEYBASE KEYLOGGER ARCHIVE
The Wayback Machine web archive stores earlier versions of the site, which give us some hints about the capabilities of the tool. Even now (at the time of writing: June 2016) we are seeing new instances being distributed. This move hasn't stopped the criminals from using the keylogger in their campaigns though.
However, the project has been shut down due to its increased use by criminals.įigure 1: The project has been shut down. The original homepage of the product was (note that, despite the fact that the URL differs only by one character, it is not related in any way to the popular public key store keybase.io).
it is sold for money, which does not necessarily means that it is legitimate). Additionally, we will look at an example of when this trojan was used. In this paper we provide an overview of KeyBase, both the keylogger itself and the server-side management component. Its significance is being recognized, and recently Team Cymru started tracking KeyBase C&C activity. One of the incidents related to the KeyBase trojan was described in, while a very detailed and extensive listing of incidents was published in. A detailed description of these Office kits can be found in. In fact, we have seen evidence that all of the Office exploit kits (MWI, AK-1, AK-2, DL-1 and DL-2) have been used to distribute it. Well, here is my private key, the untouched output of gpg -armor -export-secret-keys filippo.io | gpg -armor -clearsign.KeyBase is a trending payload in several of today's malware groups. This usually is pointed at as a mortal sin. One thing in particular of Keybase.io attracts a lot heat recently: they support uploading your encrypted key on their servers. On Keybase.io and encrypted private key uploading
0 kommentar(er)
