#KeyBase reloaded

KeyBase first came to my attention in mid 2015, a favoured tool of those with little technical capability, and those known as ' skidz'.  I first wrote about in July 2015, noting some of the basic capabilities here http://www.brycampbell.co.uk/new-blog/2015/7/14/keybase-malware

Palo Alto have recently produced excellent research together with IOC's which go in to great detail, you should read it. http://researchcenter.paloaltonetworks.com/2016/02/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/

In essence it steals sensitive credentials, here is some of the PHP used to steal the data:



A lot of thanks should go to the great work that @malwarehunterteam, @James_MHT and @Techhelplist are doing to promote the discovery and takedowns of these panels. I have privately and legally, observed some of the content that is being stolen by the criminals and it's extremely sensitive material.

Welcome to KeyBase

KeyBase, as mentioned is a infostealer, and the Palo Alto write up discusses its capabilities in much greater detail than i will.

KeyBase arrives by spoofed mails, often as disguised as office documents, or with double extensions, here is an example.

Cynomix relationship values

Hash & sample available here -  courtesy of Invincea

So, the research and analysis went on, the content became richer.Researchers in certain circles are critically aware of a known bug in KeyBase and further bugs add to the information being less than secure, this is highlighted in the Palo Alto article, and all information is secured was done so legally.

The comical aspect which prompted this post was the fact that KeyBase itself is not advanced, it is very noisy, it does not encrypt data in network communications, perimeter security will detect its patterns as it attempts to exfiltrate any sensitive information demonstrated by the image above with 'Window title' in the packet.

The panels themselves are usually not configured correctly, they are almost 'plug and play', and this is confirmed by the research done by Palo Alto, the screenshots below are all taken from a panel which was completely unsecured and available to view on the open web.

We quickly discovered that the 'miscreants' behind these panels had infected themselves, the reason for this is clear. The interesting screenshots including Facebook profiles, and messages between the gangs.

Screen Shot 2016-02-26 at 23.48.45.png

So, critically. You'll note i have not obscured any content. Joseph Ikems - we've extracted content which was captured from his own panel, or the friend he's discussing the 'problems with the panel' with.

However, it's probably more likely it was jeffjeff, as the panel was closely named to this in terms of domain registration. The reasons for this are shown in part by the content below.

We have email. So, we've managed, or should i say he has given us his email. The above screenshot shows the miscreant logged into a yahoo mail account under the name ' dixion.tony', lets assume its dixion.tony@yahoo.com.

The most advanced threat intelligence platform in the world agrees, this is potentially our guy, he has history and people are complaining about being scammed.

This begun to get interesting as the exposed screenshots yielded more information, this time as the criminals begun to actively target industries, setting up fake domains and fake businesses in an attempt to extort legitimate businesses once they had been compromised.

A tab open 'Textile companies turkey'

The targets included in the spam campaigns had been crafted to appear from a fake company as shown below, 'Jinatrading LLC'

Jinatrading LLc

Looks to be having some 'issues'.

Website content

As the content begun to become more peculiar so did the screenshots captured from the panel. At one point Tony decided to log into Facebook.


The total number of screenshots from Tony's own machines exceed 90, and the total of screenshots is over 200. Attempting to alert the victims proved fruitless sadly, a lot of them never responded. 

The lessons learned, and not published here are that the criminals behind this enterprise persisted to infect themselves with their own stealer, and fail to understand the technology they worked with, the details here are approximately 20% of what was extracted, including fake company registrations to appear legitimate.

An aggressive financial motive was clear, and some element of muling was involved. The screenshots below show searches for how to clear money or 'cash out'.

How do i hide my stolen money breh?

Detailed IOCs are available upon request, some of the artefacts are available to search via Hash and are listed on VT.

  1. https://www.virustotal.com/it/file/b900930b35d27208fd93f17a6c66ade96e6ecf9de4d6dc0c812b1dbca6746ff2/analysis/
  2. https://www.virustotal.com/it/file/77f6b395d65e869244cb526a17bda4cecf9220bcf4a7f47b898515f8e9b08c24/analysis/
  3. https://www.virustotal.com/it/file/e236ff3b1a65d42a11e74ebdaadc872f4d2b6e7aa2ee43b29cf123badc3d3e1b/analysis/
  4. https://www.virustotal.com/it/file/10eb146208f656b2f417a704b227f50cbf3eec67be67006db5dcc4a96228da32/analysis/
  5. https://www.virustotal.com/it/file/442f0e588d6270459914749e50d39d2feeec2d114e0ef357c57cb784fd9852f0/analysis/
  6. https://www.virustotal.com/it/file/a7230146b45eb9bb5940df9d9f65e63fc650c2afb3fc8502c5ded16c7f625b2a/analysis/
  7. https://www.virustotal.com/it/file/ba12cf6d096727e21a8de6202f05bba6c1917a1c638b59359130c0fe049d1c23/analysis/
  8. https://www.virustotal.com/it/file/780b005dbf3b24f1983fc36da125313a302bc787b77827d1eb9b2d347bed5439/analysis/
  9. https://www.virustotal.com/it/file/d48dd0b45639d1bd51db72e1adc5cbed344f31c6ce309874c4bc426ac59785e0/analysis/
  10. https://www.virustotal.com/it/file/87dd00b45358dc3ae3a4df65107601740aa24ce794bdf9e496dd79cf2606fc0b/analysis/