KeyBase is typical keylogger, capable of logging keystrokes, capturing clipboard data, taking screenshots of compromised user’s screens and upload stolen data to web based panel, web part of keylogger where crooks can check collected data. All communication between compromised PC and web panel is going through unencrypted http, GET requests are easily tracked with Wireshark, Fiddler and similar software. Web panel is very simple (and ineffective for larger data sets), catered to accommodate main group of users – kids and teenagers.
Like many other spyware and malware first it was sold on underground forums and later leaked versions got shared to even more skiddy forums so kids can learn and practice their cyber scam skills. Very often they are stupid and ignorant, thinking that nobody can catch them, proudly leaving traces all over the internet using same nicknames, emails, avatars, etc.
Malicious file is distributed mostly through the phishing emails, targeting retail industry, transportation and courier companies, manufacturing sector, etc. I will post some of my findings soon, documenting full attack process – from collecting data about specific industry, scraping relevant emails for phishing attack, to execution of the attack.
Keybase web panel is protected with login, but there is many flaws in script itself, flaws that can enable access the config file with login details, see screenshots from infected computers, etc. In addition, end-users are wannabe hackers with entry-level skills and they don’t know how all this works, their technical knowledge is close to zero so many installations are miss-configured, with full installation .zip file still on server, even index file is missing from main folder, leaving everything wide open to public…
Here is few screenshots of KeyBase web panel, taken from one of unsecured installations.
Looking screenshots of collected data is scary; everything comes to mind, everything is possible. Industrial espionage, redirected payments, blackmailing and many other high-risk operations are fairly easy to conduct, in fact just a few clicks away from any kid with access to internet. Here is few examples, randomly selected from several compromised computers. I have redacted possible information disclosure details.
What is interesting is that several keybase installations (found on same server) have different types of victims and different languages/countries targeted. Also some of installations are heavily visited, while others are not even used in the course of 5 days while I was looking on their activities. I can not confirm but most likely it is not one scammer using all keybase installations, but several different scammers (most probably friends or customers of alfa-scammer) are using the same server.
One of scammers managed to be stupid enough to infect himself with keylogger and a lot of screenshots from his own computer are uploaded online, so second part of this research will be about the person (or persons, not sure yet) who have access to server where screenshots above are taken and who have installed web panels for this scam action.