KeyBase malware highlights need for a change in enterprise cybersecurity

June 9, 2015 Arctic Wolf Networks

A new keylogger malware has been found for sale on the black market, and it is being used to launch widespread cyberattacks through phishing emails sent to a variety of organizations. Cybersecurity firm Palo Alto Networks first discovered the malware, known as KeyBase, in the wild back in February, but has now gone public with the information because the author of the malicious software is selling it for as little as $50 for use in enterprise cyberattacks.

Researchers with Palo Alto report that they have identified nearly 300 unique samples of the KeyBase malware in more than 1,500 unique sessions within the last four months. The attacks in which the malware has been used have mainly targeted businesses within the technology, higher education and retail sectors.

Using a known name to inspire confidence
While there are a multitude of keylogger malware programs available to cybercriminals, KeyBase malware is especially damaging because it takes its name from a reputable source. Project Keybase is "an open source command line program attempting to make cryptographic keys, like those used for bitcoin wallets, easier for everyone to use," according to SC Magazine contributor Adrian Bridgwater. Initial reports from researchers show that there is no connection between the KeyBase malware and Project Keybase, but the use of the name – even with the minor spelling difference – is still damaging.

A post on security education forum earlier in the year provided a detailed list of the malware's attributes, such as its user-friendly web-panel, password recovery options and that it utilizes .exe attachments almost exclusively for malicious files within phishing emails. Keyloggers are used to map and record the keystrokes of a compromised device in order to capture personal data and login information as it is being entered. KeyBase uses keylogging to insert itself within a file on a victim's computer and then run a malicious program that takes over the machine.

"Persistence in KeyBase, should it be enabled, is achieved using two techniques – copying the malware to the startup folder or setting the Run registry key to autorun on startup," read a statement released by Palo Alto Networks. "When KeyBase copies itself to the startup folder, it names itself 'Important.exe.' This is statically set by the author and cannot be changed by the user in the current version."

Malware for sale the symptom of a larger security problem
While malware like KeyBase certainly makes hackers' jobs easier, cybersecurity experts are quick to point out that they are just a symptom of a larger problem. Fraser Kyne, principal systems engineer for Bromium, told SC Magazine that many businesses in the IT security industry are more concerned about selling remedies for the side effects than trying to fix the root cause of cybercrime. Gavin Reid, vice president of threat intelligence for Lancope, echoed Kyne's statement.

"Tools for the miscreants like keyloggers are priced according to supply and demand," said Reid. "Often criminal gangs purchase off-the-shelve kits because it's a lot easier and cheaper than making your own but more importantly they still work. We really need to get to the point where malware persistence is not as easy as copying an executable to a run key or start-up folder. This says more about the current state of PC security than it does about the hackers."

Current malware is so effective because it is able to evade traditional detection methods and remain unidentified on machines for weeks and even months. In order to change the status quo of enterprise cybersecurity, businesses must start to implement analytic security measures that monitor system behavior and activity. Big data security tools like network monitoring allow organizations to detect suspicious or anomalous behavior that may be the result of malicious programs that have made it past a company's firewall and installed itself on enterprise networks. The data from the event is analyzed and then used to create a more robust defense that allows a business to protect its systems from current threats.

Cybersecurity news and analysis brought to you by ArcticWolf, inventors of firebreak detection and response security services.  FireBreak, when your firewall fails.

Previous Article
Cybercriminals seeing higher return on investment

A single ransomware campaign can offer an attacker a 1,425 percent return on investment.

Next Article
Sally Beauty confirms malware on POS systems

Sally Beauty Holdings, Inc. confirmed that it has suffered another breach of its payment card systems.


Want cybersecurity updates delivered to your inbox?

First Name
Last Name
Thanks for subscribing!
Error - something went wrong!