After the leak source KEYBASE keylogger QUANTITY INCREASED BY ORDER
by Maria Nefedova
KeyBase was created in February 2015, but the first attacks using this malware were recorded in June 2015. Almost at the same time researchers from Palo Alto Networks found an unprotected server (control panel of the keylogger), where KeyBase sent the screenshots it made.
When the author of this malware was caught red-handed, he promised to stop development of the malware. He put down the site where KeyBase was sold at $50 per copy, and abandoned the project.
By that moment, Palo Alto Networks experts have registered 295 unique samples of KeyBase variants and more than 1,500 connections, which different versions of KeyBase used for sending data to their control panels.
Shortly thereafter, KeyBase source codes leaked into the Web (most likely, the author did it himself) and quickly spread through underground resources. Now, 8 months later, experts have published updated statistics on KeyBase distribution, which look quite disappointing.
By today, more than 44,200 sessions carrying KeyBase have been identified; they come from more than 4900 different samples of this malware. It seems that hackers’ community liked this simple and effective keylogger, judging by the hundreds of variations already developed.
While access to KeyBase web panel requires authentication, the part of the KeyBase web panel, which saves screenshots from the infected computers, is not locked down properly. Thanks to it, even after eight months researchers were able to create a simple script to search for existing KeyBase admin panels. The script helped to identify 62 domains hosting 82 control panels. In total, a cybercriminals’ servers store 125 083 933 screenshots from infected Windows systems. 216 infected devices are workstations in corporate networks, 75 - personal computers and 134 are both. Also, 43 of the 933 infected machines have more than one user.
Analysis of screenshots from cybercriminals’ servers also helped researchers to learn which countries were affected by KeyBase attacks. Infections are most common in India, China, South Korea and the United Arab Emirates. Screenshots made by this malware show a variety of information: bank accounts and resources, different blueprints, data from video cameras, mailbox contents, accounts in social networks, financial records, and more.
In summer 2015 the author of the original KeyBase managed to install it on his own computer to run tests, but did not remove screenshots made by malware from a remote server. So, these images were found by researchers from Palo Alto Networks. Other hackers make the same mistake. Among the hundreds of thousands of images there are ones taken from computers belonging to 16 hackers. While some of them are just curious script kiddies, others look like professionals who are likely to attack serious targets.