Some examples of attachment filenames can be seen below: This malware is primarily delivered via phishing emails using common lures. One such example of an email delivering KeyBase can be seen below. Overall, Unit 42 has seen a large number of separate campaigns using KeyBase. As we can see in the following diagram, around 50 different command and control (C2) servers have been identified with up to as many as 50 unique samples connecting to a single C2.įigure 6. KeyBase campaign diagram Malware Overview Keybase chia software#Īs the software can be easily purchased by anyone, this comes as no surprise. These facts allowed us to decompile the underlying code and identify key functionality and characteristics of the keylogger.įunctionality in KeyBase includes the following: KeyBase itself is written in C# using the. When the malware is initially executed, a series of threads are spawned. Should a feature not be enabled, a function looks similar to the following: The various functions spawned in new threads may be inert based on options specified by the attacker during the build. The author makes use of a number of simple obfuscation techniques on various strings used within the code. Examples of this include replacing single characters that have been added to strings, as well as performing reverse operations on strings.įigure 11. String obfuscation using replaceįigure 12. String obfuscation using reverseĪdditionally, the author makes use of an ‘Encryption’ class. We see the ‘DecryptText’ function used by the author when he/she dynamically loads a number of Microsoft Windows APIs.įigure 15. Obfuscated API functions in KeyBase References to this decompiled code were discovered in an old posting on, where the user ‘Ethereal’ provided sample code.įigure 14. Encryption code posting on This class is used to decrypt a number of strings found within the code. The following Python code can be used to decrypt these strings. Print "Decoded: %25s | Encoded: %s" % ( dec ( s, key ), repr ( s ) ) Keybase chia code# Persistence in KeyBase, should it be enabled, is achieved using two techniques-copying the malware to the startup folder or setting the Run registry key to autorun on startup. When KeyBase copies itself to the startup folder, it names itself ‘Important.exe.’ This is statically set by the author and cannot be changed by the user in the current version.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |