# Malspam delivers Keybase keylogger 2-11-2017 **[community.rsa.com/community/products/netwitness/blog/2018/02/15/malspam-delivers-keybase-keylogger-2-11-2017](https://community.rsa.com/community/products/netwitness/blog/2018/02/15/malspam-delivers-keybase-keylogger-2-11-2017)** February 15, 2018 Malspam activity was observed on February 11th delivering a Keybase variant. The [keylogger was first reported by security researchers at Palo Alto Networks in 2015.](https://researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/) [FirstWatch previously blogged about how to detect it using RSA NetWitness.](https://community.rsa.com/community/products/netwitness/blog/2015/06/25/detecting-keybase-variants-using-security-analytics) The [delivery document is crafted to exploit CVE-2017-8759 in Microsoft Office. CVE-2017-](https://www.virustotal.com/#/file/4487cb74d5524d57eb0859bdda34fd9ba7f426fd0867e8826ac2e8c787052848/detection) 8759 is a SOAP WSDL parser code injection vulnerability. FirstWatch dug deeper into that [vulnerability in a previous threat advisory.](https://community.rsa.com/community/products/netwitness/blog/2017/09/18/malspam-and-cve-2017-8759) Upon opening the RTF document with an un-patched Microsoft Word, the user is presented with an empty page: In the background there is an HTTP request over SSL to a[.]pomfe[.]co : ----- Next comes the request to retrieve an HTA script from bahyt-krim[.]ru : ----- [Then an executable ziraat_bobby.exe; a Keybase variant; is downloaded from the same](https://www.virustotal.com/#/file/df48d1ef1d11b4b5bbc92f52de489935ffb9e36ff226b9ac0a7f5c899b9f1db1/detection) domain: ----- Once the download is complete, the binary executes and it starts to exfiltrate data in the query strings of successive HTTP GET requests to ziraat-helpdesk[.]com: ----- Post infection HTTP sessions were tagged with keybase malware in NetWitness Packets: [Here is the analysis report from hybrid-analysis.com](https://www.hybrid-analysis.com/sample/df48d1ef1d11b4b5bbc92f52de489935ffb9e36ff226b9ac0a7f5c899b9f1db1?environmentId=100) It is worth mentioning that the delivery domain bahyt-krim[.]ru has been active over the past couple of days: Delivery document (SHA256): 4487cb74d5524d57eb0859bdda34fd9ba7f426fd0867e8826ac2e8c787052848 ziraat_bobby.exe (SHA256): ----- df48d1ef1d11b4b5bbc92f52de489935ffb9e36ff226b9ac0a7f5c899b9f1db1 -----