KeyBase stealing trojan from Deepviz perspective

Yesterday has been another wonderful day here at our office, as we made another great improvement our Deepviz threat intelligence platform. If you log into our Threat Intelligence service at intel.deepviz.com you will find on the left sidebar another cool icon. We’ve finally launched our live feed of URLs contacted by malware analyzed in the past hour, updated on a hourly basis, sorted by active hosts.

While this is great for tracking down active C&C servers and keeping an updated black list of domains, it is also a great tool for researchers. Last night, while going through the list of active URLs, we have seen the following:

live_url

This definitely catched our attention – so we wanted to have a further look at it with our intelligence data: contactmike.com.ng

The domain has been set up in June earlier this year, here the WHOIS:

Registrant name: Ikenna Ikediugwu
Registrant email: support@globalhosting247.com
Registrant info: Upperlink Limited
Creation date: 2015-06-10 16:05:55
Updated date: 2015-06-10 16:08:46
Expiration date: 2016-06-10 16:05:55

More interestingly this website has been contacted by this MD5, b0a599da894c5f992949ea101c8b1520 , automatically determined by our Deepviz Code Analyzer as malware with 99,2% of confidence.  Looking at the rules matched it immediately looked like a password stealing trojan.

Among the interesting things, we have found the following dumped strings and network connections:

http://contactmike.com.ng/kbpanel/
c:\users\support\documents\visual studio 2013\Projects\KeyBaseEx\KeyBaseEx\obj\Debug\KeyBaseEx.pdb

This looked like KeyBase infostealing trojan being sold on the black market earlier this year, confirmed when we tried to connect to that URL:

capture_login

We had a further look into our database, looking at all samples containing the string keybaseex.pdb and matching malicious classification. I used our intel search API (api.deepviz.com):


POST https://api.deepviz.com/intel/search

{
"apikey": "xxxxxxxxxxxxxxxxxxx",
"strings": [
"KeyBaseEx.pdb"
],
"classification": [
"M"
]
}

which gave back the following results:

{
"status": "success",
"data": {
"Total": 131,
"MD5": [
"1e66e3ea4720c082137dbf2a6e6e5286",
"cdfa3e80617de07be84ac39aa0a097bd",
"5e1cdfada02fd0780830b26a95797858",
"4acd3f41ac883f2724dd3302ad63cb0c",
"b0a599da894c5f992949ea101c8b1520",
"a7f357e6ee1b3f3427fb0aba7402beda",
"584a7e75166efd8e3ab95a72beb9b15b",
"030f1e1dbbf7bb37bf37efa61d6309e5",
"3d9bcb112cd79d11bd4c762721e234e6",
"eb54feb9f24612ff735361238308e05c",
"d53b1b2107de1816355b2fcb8a3f1cb6",
"afc7c96de70bfd10644bf364414f3342",
"22d57aa9f49573d63362fa143509c90a",
"893d133458b7be98c8299f0ac83f8c52",
"4d489c000f483407c8f4e7fa7fcc6997",
"acb98693bbc689d8c27f0b43cb714020",
"53bfe9488479316d7a69aa5b27cfd404",
"a98a2d3563301541e60294f5a7cf76f6",
"82f321611101c3e445a9687acc4e72be",
"b09739ad9a60feab8b60c82a8e399fe1",
"c8a251354e694810dd696fa88594de4a",
"ecbc2527152135ccafb70471bcec6bb3",
"78db303c5f570d2f91747ecd7ea66bb4",
"a0a349709b2548d33261a117cfd0e36f",
"a196920ab5ddb90d09b138721c55627d",
"5856633b945b97132a1dc2b6dd695ee2",
"e546dcec370cf6e730c9f70393770710",
"1db2ff11512defeebbde73d0744dc231",
"8c8123e7640967762b3f188b6e9f8dc4",
"22dd0c433c98688d607677f622de8605",
"67a327a3782701ecc42764d99b1a4b11",
"4cd639b178815aa75635378a9a5fbe0c",
"c304f8128a6b9b8734b6d2ba05a3ec06",
"be48cf2d44c7b3588e3448d240bcfa32",
"f113fd15d735b6a534343d5ee1382c77",
"832de14e17809d9871755908ba331c9b",
"4731cfb4755961f4c56daa3dd5f4ecb9",
"8c37cd09e47d674f01f3203131f60c10",
"21981774f875778166f50150947c4b00",
"afb54a76e30b09edd51fa467b39af4a4",
"9d8f55c89ab47f28fa918bac022cd98f",
"e094e08400cfa13aa36afc6e6be22463",
"9cd73678aa6508a003b1b913883a82ab",
"97b77afa8dd9dda2d085494b6c4f1750",
"830fa047eee3f14292a89230254ce1eb",
"17cd9b0f9ba735c257cca8886e17f130",
"4589b66510e1666eabb28ae5282295f8",
"7d89b80f7ed67f5be33dec3058135e8d",
"516535dcabac9dcd81c1129b3716ef07",
"bdb864591f2909ade1879afeb98014ef",
"7a4a2dc396909bc517d976fbfba38a24",
"22de23d8005c70e7755ee83611f15ad2",
"8b40aeaa38e2a2ec4bc3bae03958d6ff",
"4d4bea91f653f7f2db7f7e59bae8da40",
"3a791ceb36b67b19c29c435819aa2f60",
"2c768a4e7b052382e40127131717bbd0",
"256a01593c256a566c4816fb4353b132",
"d28e260f0c7aa91fe74c57dcf5f98e71",
"fb8ebd556b3c68edf2ad6d8bba9b504b",
"8c14a95413c30f74651443f63964214a",
"bc78ea7135263ed0841b2922566f7fa1",
"c7e241d649295c0ade290453fef7ff73",
"d40299a4a300c3b2b946c96d104b6454",
"f15ffcf873ba5e914ff34fcfeea0f045",
"1c4738ea497c72742656d736dd08c37c",
"34568e35fdd8a33f9e624c81301c25de",
"c267a7a36d3f47efe5954b894a9bcdd4",
"d55c248c3c6c6022ecdcb1997444ddc8",
"499a9966da1569a5c7acc57a670cd695",
"8f93c16c041e727f47d8acfe7f259807",
"2f613e01631379d063574367f8fd2e2b",
"a7181bdfd04277f446199e07c278b92c",
"78f06c02557241568cfb83b0528f5085",
"1ee64c17e4735218adbe4f3725e8f25d",
"63ea0412db0ab8bccfe747d17f15ba61",
"7ce4e6332eab25cc1743eac68bde1294",
"d58f4c7f1dcfb2d8de80cefdba747916",
"de303f6f9e28031aeea625d6beb8e157",
"c2740c928062748b59e893019ddeeb6d",
"cdd3bc2276c2e5aac89a740319023e33",
"cdd7ddade4b23c45407414e7dfb34426",
"646058f43f6ebc11134bf6678307ba91",
"2b2b5a3ff9b018957c73bc832493e631",
"e8ff1214ee98cf8fae98c6d97fb6edf5",
"e2733d1418f2ca17c15542ddbe941bf0",
"83ad2f1a122c53634a8ed1699e61be11",
"3fc8c89c53552ec08c78d9cbaba871de",
"9c471bb67bebf12bff65e88b30c83a2d",
"287620614b7f0c02a7d201e992b537a0",
"839ca1346b7562ee727aaeb71870210f",
"7fa831c5d0b0c8a0c0d0ff5b1c807c87",
"225b4f95bee096649fd12c05d9d4ea21",
"8ab033f272a7cfd9c31134be1f307153",
"b3d0e732b9e1fcada499288fcdf0e4bf",
"5038e46a2597675d0b2df312fbb2c72f",
"1a12bc0917807ed57d04be033fae3377",
"a43586d3052e183d0fbafac9de454282",
"7b217c7752bc70c5230cced1e1f8e7bd",
"19b4a5a7e7a430b35b8f88eff3bda7f7",
"fae45bd217fe2dfe5eb44110d05158bb",
"af5780d42970f6cb3439db4946ad2076",
"c92b2956532b7a02b6c4c0214cd731c4",
"ef4ba9425ad151af066eccf2f0b9e2f2",
"8655fbce3933161193702efe27f40879",
"5bd7db8b24e593d6483bbb0f98f3698d",
"6bbd53304a2c9e1042b298501690d8d5",
"54a3c8a97edc941947195cb523510364",
"d366ba790a0990ea4a876109232e95de",
"abb787eccca4bd63754b21aa23024079",
"e3dbcabae789ef04be1edd6ece5f2b22",
"a984b5b7020176531f82f49918173196",
"951f44778a482dfb2213e91ed5593fe9",
"e039fb1b040da4021da859994f24fef9",
"b67148045d08522b990c32be11cc0bd7",
"00adac707c6bf4cbeea50616154206ec",
"63f9ba883959cd6fc2f211b2e2a9733c",
"60964fe841d950bce9f8c6c1e9dcd0be",
"c008d9377b5f5458b1b96227dcd798dd",
"83987e7299bb7f0d25f9672e67beed41",
"6eb8c3c8e4181604ccede8adad0e163f",
"3ba8fa430fec6948c95e8f477c38e54f",
"7a23a80e2c572aa769402dae1efdd2ae",
"157e2d1385d09b9fea81bb00f7d55faf",
"f36e33e8045fcd422c55088e7a877a9c",
"7e4e32b042565d5cede168a47a6bbf59",
"69da2988afeb94b390938d7f0d945a7a",
"cde07ac30a52f809f04c878ce56872c0",
"ab8bde759541921f360b2d96c21e6c7b",
"8c700b1ec985bf23136768f433cf86bf",
"813563eef969f691224c64769390ee92",
"4683b7b9c248a3804040256c8999de22"
]
}
}

These are all the samples we have received and analyzed so far containing the string KeybaseEx.pdb. Using our automated clustering engine we get back the following result:

keybase_cluster

All of them are related to the same trojan, KeyBase. Next step was finding whether their C&Cs are still up and running and, not surprisingly, we’ve found many of them are up and some of them are receiving live data – even today!

KeyBase Panel

While it’s scary that they contain captured data for months and they are still collecting credentials, another critical issue is that KeyBase C&C panel is poorly designed, thus allowing external people to see part of the logged data without having administrative credentials. KeyBase features screen grabbing and keylogging functionalities, and sadly the captured screenshots are open to the world if you know where to look at, the panel doesn’t restrict access to the folder.

This is a list of active C&C servers we have found so far:

kreativewebsite.com/jss/web/
contactmike.com.ng/kbpanel/
2fastsms.com/kbpanel/
biz.karelia.pro/keybase/
filezilla.usa.cc/scardo-bros/
giimagemedia.com/server1/asc/
attecco.com/wp-note/php/
giimagemedia.com/server1/ne/
doncglobal.com/kalus/web/
sivaafi.net/images/l/kbpanel/
sidemlogistics.com/sys/dbb/kbpanel/
tehranmobaddel.com/php/
calibis.usa.cc/jayguy/
winpy.usa.cc/css/
usersmrt.sslsecurityencryption.com/logs/
azabideon.nut.cc/mar/isch/
userg.progadgetsystems.com/logs/
medilincinxq.eu/abebe/
phonesandtabletsfix.com/kbpanel/
nonso.usa.cc/teco/
southplannersuppliers.com/solid/
omniscientstraps.com/kbpanel/
calibis.usa.cc/2020/
future-furnitures.com/kbpanel/
calibis.usa.cc/solace/
creativelinkspk.com/php/kbpanel/

This is exactly where Deepviz could help you and your infrastructure in making your layered defenses stronger. Deepviz Code Analyzer automatically analyzed and classified all KeyBase samples based on our AI machine learning detection and similarity engine, and with our Threat Intelligence Platform the extracted data from the malware analysis is correlated and put together to isolate and identify new members of the same malware family thanks to our clustering engine.

Here below some reports from our analyzer:

ecbc2527152135ccafb70471bcec6bb3

4731cfb4755961f4c56daa3dd5f4ecb9

b0a599da894c5f992949ea101c8b1520