21 JUN 2016

Ransomware gets a lot of attention these days, and understandably so.

It’s the digital equivalent of a punch in the face: there’s no doubt what’s happened, and the crooks leave no stone unturned to make sure you know it.

Some ransomware not only creates some sort of HOW-TO-PAY document in every directory where there are scrambled files, but also changes your desktop wallpaper so that the payment instructions are visible all the time.

You can argue, however, that less visible malware attacks are even worse, especially if you only find out about them days or weeks after they started, and they include some sort of data-stealing payload.

Like the range of malware that SophosLabs researcher Gabor Szappanos (Szapi) was reviewing recently while working on a paper about Word-based attacks.

Sophos Home

Szapi was looking at a particular subset of Word-borne hacks: what are known as exploit kits.

Exploit kits are pre-packaged, booby-trapped files that automatically try to take over applications such as Word or Flash as soon as you open up one of the malicious files.

The idea is to bypass any pop-up warnings that would usually appear (such as “you need to enable macros,” or “are you sure you want to install this software”) by crafting the exploit file so it causes a controllable crash in the application that just loaded it.

Szapi noticed that all of the exploit kits he’d covered in his paper (going by names like Microsoft Word Intruder, AK-1, AK-2, DL-1 and DL-2) had been used at some time to distribute data-stealing malware known as KeyBase.

His first thought was along the lines that “KeyBase ought to be dead by now, because it’s been around for a while, it’s well-known, and the author himself took it offline long ago.”

key logger

Sadly, however, the KeyBase Trojan is alive and well, even though it’s no longer openly available.

KeyBase is primarily a keylogger, meaning that it keeps track of what you type, collects up the data, and regularly uploads it to the crooks using innocent-looking HTTP requests.

When would-be cybercrooks set it up, there’s a point-and-click configuration system, so they don’t need any technical knowledge to decide what parts of your digital lifestyle to spy on:



Monitoring the clipboard gives away plenty of information about your business, because you generally use the clipboard for items of immediate importance, such as copying-and-pasting text out of emails into documents, or vice versa.

That makes the clipboard a handy signal of interesting data about your business, such as this example data from KeyBase’s cloud-based servers:


KeyBase and other malware families like it are examples of Crimeware-as-a-Service (CaaS).

That’s where a group of technically-savvy criminals provides the servers and the control panels, renting out access to allow any number of non-technical crooks to jump right into the cybercrime scene.

Once a team of crooks has inside information on your business, such as your email passwords and a list of the people you do business with, they are well-placed to start bleeding you for money.

With ransomware, you generally know beyond doubt what has happened; you have a short list of choices of what to do next; and you have a firm price in Bitcoin staring you in the face.

But with system-sniffing malware like KeyBase to teach them how to login to your accounts, crooks can correspond with your creditors and debtors using your email address; change account numbers to divert payments; alter invoices; place bogus orders…

…and then, because they control your logins, they can cover their tracks (for example by deleting sent emails that you’ll know you didn’t write) to keep their swindle going as long as possible.

News Courtesy: