CyberSecurity news
@www.bleepingcomputer.com
//
Cybercriminals have been actively distributing trojanized versions of the KeePass password manager for at least eight months, leading to significant security breaches. These malicious versions are designed to install Cobalt Strike beacons, steal stored credentials, and ultimately deploy ransomware on compromised networks. The attacks often begin with users downloading fake KeePass installers promoted through malicious advertisements on search engines like Bing and DuckDuckGo, which redirect victims to lookalike websites.
Once installed, the trojanized KeePass variants, sometimes referred to as "KeeLoader," function as both a credential stealer and a loader for additional malware. These altered versions export the password database in clear text, relaying it to attackers via the Cobalt Strike beacon. This allows the cybercriminals to gain unauthorized access to sensitive networks, VPNs, and cloud services. The compromised credentials enable attackers to deploy ransomware payloads, often targeting VMware ESXi servers to encrypt datastores, disrupting operations and demanding ransom payments.
Researchers at WithSecure have uncovered that the attackers modify the open-source KeePass code, embedding malicious functionality directly into the application. This makes the altered KeePass builds difficult to detect as they retain all legitimate functionalities while secretly logging credentials and exporting them as CSV files. The use of valid, trusted code-signing certificates further helps the malicious versions evade detection. Security experts emphasize the importance of downloading software only from official websites and verifying the application's authenticity to avoid falling victim to these sophisticated attacks.
ImgSrc: www.bleepstatic
References :
- BleepingComputer: Threat actors have been distributing trojanized versions of the KeePass password manager for at least eight months to install Cobalt Strike beacons, steal credentials, and ultimately, deploy ransomware on the breached network.
- securityonline.info: Trojanized KeePass Used to Deploy Cobalt Strike and Steal Credentials
- The DefendOps Diaries: Revised Analysis of KeePass Exploitation and Ransomware Deployment
- www.bleepingcomputer.com: Fake KeePass password manager leads to ESXi ransomware attack
- cyberinsider.com: KeePass Clone Used for Deploying Malware and Stealing Credentials
- BleepingComputer: Fake KeePass password manager leads to ESXi ransomware attack
- www.helpnetsecurity.com: Trojanized KeePass opens doors for ransomware attackers
- www.scworld.com: 'Textbook identity attack' dropped ransomware via fake KeePass site
- www.techradar.com: Hackers are distributing a cracked password manager that steals data, deploys ransomware
- bsky.app: Threat actors have been distributing trojanized versions of the KeePass password manager for at least eight months to install Cobalt Strike beacons, steal credentials, and ultimately, deploy ransomware on the breached network.
- securityonline.info: Trojanized KeePass Used to Deploy Cobalt Strike and Steal Credentials
- Help Net Security: Trojanized KeePass opens doors for ransomware attackers
Classification:
- HashTags: #KeePass #Ransomware #PasswordStealer
- Company: Microsoft
- Target: KeePass users
- Product: KeePass
- Feature: Password Management
- Malware: KeeLoader
- Type: Malware
- Severity: Major