Data is not encrypted or obfuscated in any way. This allows the malware to not only identify what keys are being pressed, but what application said key presses are being sent to.Īll communication with a remote server takes place via HTTP. The class also has the ability to handle Unicode characters, as well as get the name of the foreground window. The author proceeds to handle appropriate keyboard events as expected.
KEYBASE CHIA WINDOWS
While custom, the class itself uses a very common technique of using the Microsoft Windows SetWindowsHookExA in order to hook the victim’s keyboard.įigure 16. Keylogging in KeyBase is primarily accomplished in a separate class appropriately named ‘KeyHook.’ While the class shares a name with a publicly available repository on github, the class appears to be custom written.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run : The key used in the following Run registry key is set by the user, and is always a 32 byte hexadecimal value. When KeyBase copies itself to the startup folder, it names itself ‘Important.exe.’ This is statically set by the author and cannot be changed by the user in the current version. Persistence in KeyBase, should it be enabled, is achieved using two techniques-copying the malware to the startup folder or setting the Run registry key to autorun on startup. Print "Decoded: %25s | Encoded: %s" % ( dec ( s, key ), repr ( s )) Out += chr ( ord ( s ) - ord ( key ) - ord ( str )) Print "Decoded: %25s | Encoded: %s" % (dec(s, key), repr(s))
KEYBASE CHIA CODE
The following Python code can be used to decrypt these strings. We see the ‘DecryptText’ function used by the author when he/she dynamically loads a number of Microsoft Windows APIs.įigure 15. References to this decompiled code were discovered in an old posting on, where the user ‘Ethereal’ provided sample code.įigure 14. This class is used to decrypt a number of strings found within the code. String obfuscation using reverseĪdditionally, the author makes use of an ‘Encryption’ class. String obfuscation using replaceįigure 12. Examples of this include replacing single characters that have been added to strings, as well as performing reverse operations on strings.įigure 11. The author makes use of a number of simple obfuscation techniques on various strings used within the code. Should a feature not be enabled, a function looks similar to the following: The various functions spawned in new threads may be inert based on options specified by the attacker during the build.
KEYBASE CHIA SERIES
When the malware is initially executed, a series of threads are spawned. These facts allowed us to decompile the underlying code and identify key functionality and characteristics of the keylogger.įunctionality in KeyBase includes the following: KeyBase itself is written in C# using the. As we can see in the following diagram, around 50 different command and control (C2) servers have been identified with up to as many as 50 unique samples connecting to a single C2.
KEYBASE CHIA SOFTWARE
As the software can be easily purchased by anyone, this comes as no surprise. Overall, Unit 42 has seen a large number of separate campaigns using KeyBase. One such example of an email delivering KeyBase can be seen below. Some examples of attachment filenames can be seen below: This malware is primarily delivered via phishing emails using common lures. The targeted companies span the globe and are located in many countries.įigure 4. We can also quickly determine targeted industries using AutoFocus:įigure 3. Since February 2015, approximately 1,500 sessions carrying KeyBase have been captured by WildFire, as we can see below:
0 kommentar(er)
