Security researchers are aware of forums that offer downloads of malicious software such as keyloggers and remote access tools. Some inexperienced hackers may visit these forums and decide to chase the money and create a malicious agenda.
The following is a snippet from a popular hacking forum.
We recently received a submission with the filename 17_02_16~_HKL_Purchase_Order.ace. This file contained another file with a .scr (screen saver) extension. The extracted file was a keylogger/password stealer known as KeyBase.
KeyBase comes in a kit:
The KeyBase kit offers various configuration options. The password option allows the user to steal passwords from various mail clients/browsers and other popular applications. These kits make it very easy for anyone with little to no skill to create malicious programs.
We replicated the sample and navigated to the control server:
We noticed that it had a very specific welcome message, so we decided to do some searching.
We found the username shown on the control server had been registered on several malicious forums. Upon further investigation we found this actor had downloaded several malicious kits and probably got the builder for KeyBase from one of these sites. The activity on some sites dated to 2013.
We next tried to find out if this actor was involved in any past malicious activities. We looked at how the actor tried to spread the malware and whether the filename of the .ace file was unique. We found only one other instance of a similar filename.
The file we found dated back January. Upon analyzing the file, we found it to be the keylogger HawkEye. This keylogger is very easy to find on these malicious sites.
Here is a screen shot of Version 3 of the malicious builder:
We dived deeper and found the email address associated with the hacking forum accounts. We found five domains that were registered using this email address:
As we wrote this post, all of these domains were down. However, it is more than likely that these domains were or will be used for malicious purposes.
We found a username associated with the email address on the popular file-sharing website 4shared.
This user had uploaded 12 files, including a text file with nearly a half-million email addresses. This would have no doubt been used as part of a spam campaign to spread the malware.
With all the information that we have collected, we can see that malicious forums make it easy for someone with little skill to create malware. An experienced actor would work in a much more covert way. However, both types can be dangerous.
Intel Security detects this keylogger threat as Trojan-FHWM since DAT Version 8079.