This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Detecting KeyBase keylogger variants using Security Analytics

Anonymous
Not applicable
‎2015-06-25 11:05 AM

A couple of weeks ago, security researchers at Palo Alto blogged about a new keylogger malware family called KeyBase. According to Palo Alto blog, the keylogger could be purchased directly from its author for $50. Although it is quite unsophisticated, KeyBase remains a threat that spreads through phishing campaigns mainly targeting high tech, higher education and retail industry.


Once it runs on an infected host, the malware sends a notification to its C2 server. Time on the host and its name are sent in clear in the query string of the URL:


keybase.png


For KeyBase variants C2 beaconing activity, filename and query string format are fixed. However, directory names vary from one server to another:

 

keybase-2.png


Given all the network artifacts mentioned above and assuming the appropriate meta keys are enabled, an analyst can develop an app rule on RSA Security Analytics to detect the malicious traffic. The following query can be used:

          filename = 'post.php' && query begins 'type=' && client !exists


Scan results for a couple of KeyBase variants can be found on VirusTotal:

     SHA1: 6569a933f82c9ff8c06c2cfc70da0efd92d78a95
     SHA1: ef0d13645fab775a21f00ffff5b587955884498c


Finally, all of the IOCs from those HTTP sessions were added to RSA FirstWatch Live feeds.

4 Comments
EdPadilla
Occasional Contributor
Occasional Contributor
‎2022-06-22 02:02 PM
‎2022-06-22 02:02 PM

i unable to locate the RSA First watch live feeds

Will_G
Moderator Moderator
Moderator
‎2022-06-23 01:27 PM
‎2022-06-23 01:27 PM

Hi @EdPadilla

 

The reason that you cannot find them is that all of the legacy RSA FirstWatch feeds were discontinued some time ago. This blog post is from ‎2015-06-25 and the feeds that the author references are no longer in service. For more information, feel free to email me directly: will.gragido@netwitness.com

 

Best regards, 

 

Will Gragido 

EdPadilla
Occasional Contributor
Occasional Contributor
‎2022-06-23 01:45 PM
‎2022-06-23 01:45 PM
Was there a replacement? Or is other way to obtain your feeds?
Will_G
Moderator Moderator
Moderator
‎2022-06-23 01:56 PM
‎2022-06-23 01:56 PM

Hello @EdPadilla

 

No, there were no replacements for those feeds. And to date, there are no official plans to replace them or resurrect them (identically) moving forward. We are working on net new feed concepts and offerings however, I am not in a position today where I can or will be able to publicize that information. Feel free to reach out to me directly with any other questions or concerns you may have. 

 

B/r, 

 

Will Gragido 

© 2022 RSA Security LLC or its affiliates. All rights reserved.