Unit 42 researchers found that access to the “/image/Images/” path on the C&C machine, where all pictures captured from the compromised system are stored, is not protected in any way and could be accessed freely from the web. The researchers found that KeyBase communication with the C&C server is done without encryption or obfuscation of any kind and that the initial request from the malware lacks some HTTP headers, which allows easy detection of malicious activity. The company says that about 1,500 sessions with KeyBase have been spotted since February, targeting entities mainly in high tech, higher education, and retail industries.
The malware can record keystrokes, content stored in the clipboard and take screenshots of the victim’s desktop its author also advertises a user-friendly web panel, unicode support and password recovery, all for $50 / €45.Īccording to telemetry data, the keylogger has at least 295 unique samples and it was used to attack different companies across the world. KeyBase was released in early February and malware analysts from Palo Alto Networks’ Unit 42 have been on to it, tracing its presence in the wild and collecting data on the victims it made. Security researchers tracking an unsophisticated keylogger named KeyBase managed to catch a glimpse of the activity of a crook testing it, by accessing images captured from his/her machine uploaded on an improperly secured command and control (C&C) server.
0 kommentar(er)
