Last Friday, the Keybase malware family went into Team Cymru’s Botnet Analysis & Reporting Service (BARS).
KeyBase is a multipurpose bot that is used to load additional malware, log keystrokes, steal saved passwords, steal clipboard contents, and take screen captures of the infected computer and upload them to the controller.
We have observed Keybase being promoted in hacker forums, and reportedly is available for purchase for as little as $50.00USD. It does not contain any method of spreading itself; it has often been seen sent as .zip attachments in email phishing campaigns.
The image above provided by our Threat Intelligence team shows where some of the controllers are as well as where the victims are connecting from.
KeyBase samples reach out to their controller via HTTP GET to a URI ending in /post.php, with the exception of screen captures, which are uploaded via HTTP POST to the same base URL, but with the URI ending in /image/upload.php. Neither the GET nor the POST include the “User-Agent” header.
What is BARS Feed?
BARS provides in-depth analysis, tracking, and history of malware families that utilize unique control protocols and possibly encryption mechanisms. We provide the following elements as part of our BARS package:
Infrastructure – to provide automated tracking and reporting of known botnets
Analysts – focused on investigating new malware families and/or variants
Developers – writing specialized code to track and report on these new threats
Our data set contains information related to bots including IP, PGP and GeoIP information.
Contact our sales team for more information.