Palo Alto Discloses Details of New Keylogger ‘KeyBase’

Well-known security company Palo Alto Networks just disclosed one fresh group of keylogger malicious program under watch by the company since a few months. Presently circulating online starting February 2015, the program called 'KeyBase' is available for USD50 (or 33 pounds) that the author directly sells to the purchaser, with the program getting used within assaults on several organizations primarily getting served through phishing e-mails, published scmagazineuk.com, June 8, 2015.

The threat intelligence service AutoFocus of Palo Alto had its engineers substantiate that they had spotted 295 distinct strains of the malicious program within over 1,500 separate sessions during Feb-March 2015.

According to Palo Alto, KeyBase has the ability to record keystrokes or material saved inside the clipboard as well as to capture the victimized user's desktop screenshots. The malware's owner also canvasses one support along with password retrieval named Unicode that's an easy-to-use web-panel.

The company states KeyBase attacks targets chiefly within retail, higher education and high-tech industries.

Palo Alto's investigators discovered that the malware communicated with its CnC server devoid of any sort of obfuscation or encryption as also that the malware's first query didn't even have any HTTP headers that let obstacle-free identification of malicious operation.

They also discovered that there was no protection of admission made into the "/image/Images/" route inside the command-and-control server the place holding the screenshots of the hijacked computer, therefore could be gained entry from the World Wide Web without any hassle.

Looking further inside, the investigators found the keylogger controller as testing the tool, since there were images present from the person's desktop.

Palo Alto Networks explains that once enabled, KeyBase persists by utilizing dual methodologies -configuring Run registry option as 'autorun' during system booting alternatively creating the malware's copy onto startup folder. After the copying is done, KeyBase gives itself the name 'Important.exe' that the controller statically sets and which the user can't change within the existing edition.

Whilst there are certain problems with this malware's sophistication, Palo Alto said they'd noticed one considerable and continued increase of keyloggers' application; hence end-users must adopt the required safeguards for lessening the possible dangers resulting from such malware.

» SPAMfighter News - 6/17/2015