Research: Usage of KeyBase Keylogger Has Been Explodes
Palo Alto Networks researchers have found that when the builder of simple keylogger malware has been leaked online last summer, the usage of keylogger has gone or explodes.
KeyBase (a spyware family) that can affect the system by following way:
- It can capture keystrokes.
- Written in C# by using .NET Framework.
- It can also steal data from the user's clipboard.
- At regular intervals, it can also take screenshots of the victim's desktop.
When Palo Alto researchers stumbled upon an unprotected server (control panel), at that time this malware was first seen where the screenshots were sending by the KeyBase. This malware was created in February 2015, but now it has been stopped developing by the KeyBase's author from the last summer, they promised that they were not developing it further and they also closed their website where they used to sell this KeyBase for $50 / €45, and they have abandoned the project.
According to the Palo Alto report "At that time around 295 unique KeyBase samples and more than 1,500 different KeyBase connections sending data back to control panels." After that, the builder's of malware has been leaked online on many hacking forums.
New KeyBase wave infected 933 Windows computers:
Eight months later it has been reported by the Palo Alto that hacking community continued to develop KeyBase, after seeing that over 44,200 KeyBase sessions coming from over 4,900 different KeyBase instances.
Along with that the main things that have been discovered by the Researchers were:
Even though the control panel was secured, but the folder that contains the images to sent for storage was not. It means that all the KeyBase panels available online can be found only by put together a simple script.
A simple method has been used by the Palo Alto staff by which they discovered the following:
- 62 Web domains where the KeyBase control panel was installed.
- 125,083 screenshots from 933 Windows computers.
- 82 different control panels.
Out of all the infected computers, 216 were workstations in corporate environments, 75 were personal computers, and 134 were used for both. Among 933 computers 43 included the details from more than one user, it means that they were shared assets, may be used by multiple family members or work colleagues.
Attackers targeted the manufacturing industry:
According to the researchers, most of the KeyBase infected countries are China, South Korea, United Arab Emirates, and India. And they are also confident about managing the narrow down most of the attacks to a few campaigns.
|Keybase Geographical view|
Attackers targeted the manufacturing industry, but some stood out. The industries were the wholesale and retail industry, manufacturing sector, Transportation company.
Industry sectors that were affected by KeyBase:
According to the researchers, the screenshots depicting the invoices, blueprints, email inboxes, financial documents, booking software and many more images.
Dummy hackers infected themselves as well:
During the keylogger's tests, the creator of malware's infect himself and his activities recorded through screenshots and then they sent it to Web control panel and the a new wave of KeyBase infections also managed to infect their computers.
As the code of KeyBase is available to anyone, so it is a well-known and easy-to-detect threat. By avoiding unsolicited or spam email(the most common method used by KeyBase to infects victims) also you can stay safe.