Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: machinename=1' AND (SELECT 5650 FROM(SELECT COUNT(*),CONCAT(0x71706b6a71,(SELECT (ELT(5650=5650,1))),0x71706a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'oAZi'='oAZi&windowtitle=a&keystrokestyped=a&machinetime=a&type=keystrokes Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
#KEYBASE KEYLOGGER CODE#
The Web Control Panel gives you the control on all the information stolen from infected machines as seen in the following image: Exploitĭefault credentials for the web panels are: Admin :Admin, KeyBase:Logs123!Īnalyzing the source code of the Web panel, you can identify multiple vulnerabilities: Post.php is vulnerable to SQL Injection (Error & Blind Based) and Cross Site Scripting (XSS) because the “ machinename, windowtitle, keystrokestyped, machinetime” parameters are not filtered in any way. KeyBase notification is issued to the remote server once it has been installed: Note the absence of certain HTTP headers.
The most interesting thing, especially for the poor quality of the code, is the web interface.Īll the communications with the remote server are performed via simple HTTP requests and they are not encrypted. It also set a key value in the registry as follow:
This information cannot be changed by the builder and is statically set in the source code. Malware persistence is obtained by copying the executable in the Startup folder under the name of Important.exe (visible in the first block of code).
#KEYBASE KEYLOGGER WINDOWS#
Mainly “ replace” and “ reverse” operations to characters and strings, in addition to these operations, all the Microsoft Windows API calls are encrypted. The author has taken a number of simple obfuscation techniques to strings used in the code. You can locate a key within resources of the program, once compiled, that appears unique to each build performed on the same machine.
#KEYBASE KEYLOGGER SOFTWARE#
General Purpose Software (FileZilla, JDownloader, IDM, Imvu, PalTalk).Client Email (Outlook, Thunderbird, Incredimail, NetScape, Eudora).Browsers (Chrome, FIrefox, Internet Explorer, Opera, Safari).HotLogging(Keylogging ofspecific windows.ex.“We believe that they launder their money through a few strategies such as buying gold and luxury items, or mixing the money they have obtained through these scams with money collected legitimately.Keybase is written in C# and among its features we can find: “With this single transaction, the scammer is slated to collect over $1 million,” FireEye wrote.
FireEye included emails from one scammer to a money mule partner in Indonesia alerting that $900,000 and €300,000 would be transferred to an account soon. Some operations have been very lucrative successes.
The scammers then use a network of mules to accept the payments into their own accounts and forward it on. The scammers then pressure one party to accept different bank account details, diverting money to their own accounts. If a pending transaction looks promising, the group creates a similar email address as to the victim, copying the email thread between the two parties to make it look legitimate. “Once the scammers identify an interesting victim, they log into the victims accounts using the stolen credentials and study the different transactions in which the victims are involved,” FireEye wrote.
0 kommentar(er)
