brazerzkidaibanner.blogg.se - Keybase keylogger

#Keybase keylogger password#

The sample in question is also seen dumping key logged data to a separate server at 68.171.217250.

#Keybase keylogger password#

We’re also able to pivot from the unique password to another account hanging off the bottom in the first image, which shares a local name with the above local, “ dubem”.

correlation provides strong evidence that the actor behind these accounts is the same.

The domains themselves have been truncated. The below list highlights some of these shared local parts across domains in the username. When you look at the actual accounts as well, we see usernames are formatted like e-mail addresses and some of the local parts of the address get shared across domains. While all the stolen data being dropped on one FTP server is a solid relational indicator, what’s even stronger is that 14 usernames all used the same password, “ joinkrama2”. Unique password reuse in the "Kramer" cluster Looking a little closer, there is a smaller cluster of accounts on the left of the graph that warrants further investigation.įigure 3. This FTP drop site was the most utilized across our sample set, with 71 unique samples and 18 unique FTP accounts being used to drop data.

Starting from right to left, the first cluster shows a heavy concentration of samples communicating with IP address, 108.179.19624. 96 unique accounts used to log into these drop sitesĪfter collecting all of the data from PCAPs and loading it into Maltego, we can visually see multiple organic clusters standout along the top, which will be the topic for discussion.37 unique drop destinations were identified for stolen data.53 SMTP connections were made with active credentials.207 FTP connections were caught with active credentials, e.g., the malware successfully logged into the FTP server to upload data from our virtual test machines.We’ll use these embedded credentials to try to uncover patterns and find actor-identifiable data through our research.īefore getting into the correlation, some general statistics on the data: After downloading the samples and their respective network activity, I parsed out all successful FTP and SMTP activity to build a data set for Maltego. Couple this with the increase of keyloggers found in the wild and we find ourselves with a very large data set that can be used for correlation.īy using Palo Alto Networks AutoFocus, I was able to quickly identify 500 recent samples of HawkEye and iSpy, which exhibited either FTP or SMTP activity during dynamic analysis. This further provides an analyst with a remote server address, username, and password for each sample analyzed.

This presents a valuable data point, because all of the big four keylogger families embed their credentials inside of their binaries. HTTP transmission usually involves a simple POST request with a body containing the stolen data however, for SMTP and FTP, more often than not these protocols require authentication to log into a service before transferring the data from the compromised system. There are three well-established methods for doing this: HTTP, SMTP, and FTP.

To be of any value, keyloggers must transmit data back to the attacker.

The intent of this blog is not to rehash what has already been discussed, but instead to shift the focus to the actors behind these keylogger threats and show a practical technique for identification. This past year Unit 42 has seen a resurgence of keylogger activity and it seems like every week a new research blog comes out talking about one of four popular families: KeyBase, iSpy, HawkEye, or PredatorPain. These blogs usually delve into the technical workings of the threats, discuss their relationship to each other, and explain how they evolved from one another through new ownership or branding of the tools. 日本語 (Japanese ) Mo' key loggers, mo' problems