Is Lemsip-laziness spreading keylogger malware?

News by Adrian Bridgwater

Are we tackling surface symptoms and missing the root cause of system infections when it comes to keylogger malware?

Palo Alto Networks has gone public on a new family of keylogger malware it has been tracking for some months. Now in the wild since February 2015, Palo Alto says the malware known as ‘KeyBase' can be purchased for US $50 (£33) directly from the author and has been deployed in attacks against ‘many' organisations predominantly being delivered via phishing emails.

The firm itself specialises in providing a security platform that brings together all key network security functions including advanced threat protection, firewall, IDS/IPS, and URL filtering.

Engineers from Palo Alto's AutoFocus threat intelligence service confirm that they have now identified 295 unique samples of the malware in more than 1,500 unique sessions in the past four months.

The attacks themselves have primarily targeted the high tech, higher education and retail industries.

KeyBase, not Keybase

From initial reports it would appear that the malware family, KeyBase (CAPS B) is not the same as (or is at least a malicious variant of) project Keybase, an open source command line program attempting to make cryptographic keys, like those used for bitcoin wallets, easier for everyone to use.

The security education public hacking forum detailed the genus and species of this advanced keylogging treat at the start of 2015. The site ran a listing detailing features including its fully undetected scan-time and run-time operation (although this was later removed), its ominously user-friendly web-panel and its Unicode support and password recovery options.

Phishing emails emanating from this malware have been identified with attachment filenames including the below:

  • Purchase Order.exe
  • New Order.exe
  • Document 27895.scr
  • Payment document.exe
  • PO #7478.exe
  • Overdue Invoices.exe

According to Palo Alto Networks, “Persistence in KeyBase, should it be enabled, is achieved using two techniques - copying the malware to the startup folder or setting the Run registry key to autorun on startup. When KeyBase copies itself to the startup folder, it names itself ‘Important.exe.' This is statically set by the author and cannot be changed by the user in the current version.”

A keylogger is intended to map and record a user's keystrokes to capture personal information and passwords while it is being keyed in. Early keyloggers date back to the 1970s. Today a growing number of keylogger technologies are surfacing for the mobile arena including, for example, the Mobile Spy Android Keylogger product. Not all use of keyloggers is malicious; the technology can also be used for monitoring children or employees.

Speaking to this weekend, Fraser Kyne, principal systems engineer at Bromium reminded SC that the job of the hacker is made ‘all too easy' with these tools; but that's not the real problem he says - it's just a symptom of the underlying issue.

Lemsip laziness

“The real issue is that we're woefully behind the times when it comes to protecting our systems. The IT security industry is driven on selling Lemsip for the symptoms of a cold rather than attempting to tackle the root cause. The fact that this malware has been active in the wild for some time is further proof that we cannot rely on detection to protect us. The only meaningful defence is based on isolation - where these kinds of attacks are simply made irrelevant,” said Kyne.

Bromium's Kyne continued, “If I isolate the keylogger so it can't see anything of value, and can't log keys for anything but itself, I don't need to care any more. Innovative technology like micro-virtualisation provides a practical means of interacting with the outside world while protecting from these attacks by design. When anyone who has already taken this next evolutionary step reads about this new keylogger they can simply smile and get on with their working day."

Gavin Reid, VP threat intelligence, Lancope, adds: “Tools for the miscreants like keyloggers are priced according to supply and demand. Often criminal gangs purchase off-the-shelve kits because it's a lot easier and cheaper than making your own but more importantly they still work. We really need to get to the point where malware persistence is not as easy as copying an executable to a run key or start-up folder. This says more about the current state of PC security than it does about the hackers.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews