![]() Defining terms & the analysis processīefore we dive into the data, it must be said that since we are analyzing images, we are making some assumptions. Attackers captured screenshots of sensitive e-mails, bank account transfers, security cameras and hotel management systems.Īttackers who (accidentally) infected their own systems revealed the tactics, tools and procedures they used to launch their attacks.Companies in the manufacturing and transportation industries see the most KeyBase infections.India, China, South Korea and the United Arab Emirates are most targeted with KeyBase, but the impact is global.This blog post will explain our findings in detail, but here is a short summary of what you’ll see if you read through to the end. These images give us a glimpse into what attackers see when they infect systems, what information they obtain outside of the normal keystroke and clipboard logging capabilities of the malware, and how that information may be used for malicious activity. This lack of security on the miscreants’ part opens up a window to perform target analysis of the infected machines.īy leveraging the visibility within AutoFocus along with KeyBase web panels identified through information sharing groups, 64 websites have been identified hosting 82 active KeyBase web panels with a total of 933 infected Windows systems accounting for 125,083 screenshots. ![]() One interesting discovery, identified by Unit 42 malware researcher Josh Grunzweig was that while the KeyBase web panel requires authentication for access, the part of the KeyBase web panel which saves screenshots from the infected computers is not properly locked down, thus requiring no authentication and allowing anyone on the Internet to freely access it. In our initial report, we identified approximately 1,500 sessions carrying KeyBase and approximately six months later we have seen over 4,900 different samples and 44,200 sessions within Palo Alto Networks AutoFocus. What’s more, while development of KeyBase appears to have stopped, the usage of this malware has increased significantly since June. However, as of this writing, the software is still readily available for download with minimal effort on multiple websites. The author has since taken down its website and supposedly ceased selling the software, while also renouncing the tool’s use for any malicious purposes. In June 2015, Unit 42 reported on a keylogger malware family known as KeyBase, which had first appeared in February 2015. Perhaps, at the very least, they might end up cutting it after a while, similarly to how Mega.Be the first to receive the latest news, cyber threat intelligence and research from Unit 42. Somewhat unsure about their long-term sustainability though, contrary to Keybase, they do not seem to have a wealthy parent company able to fund them indefinitely. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |