Cybercriminals have been spreading manipulated versions of the KeePass password manager for at least eight months. This modified software is used to install Cobalt Strike beacons, steal login credentials, and ultimately activate ransomware on infected networks.
The Threat Intelligence team at WithSecure discovered this campaign during an investigation into a ransomware attack. Their analysis revealed that the attack began with a malicious KeePass installation, which was promoted via Bing ads on fake websites that resembled legitimate software pages.
Because KeePass is open-source, attackers were able to modify the source code and create a manipulated version, which they call KeeLoader. This version retains the normal functionalities of KeePass but contains additional code that installs a Cobalt Strike beacon and exports the password database as plain text. This data is then exfiltrated via the beacon.
Specific watermark
According to WithSecure, the Cobalt Strike watermarks used in this campaign are linked to a so-called Initial Access Broker (IAB). This is an intermediary who is believed to have been involved in previous attacks using the Black Basta ransomware. A Cobalt Strike watermark is a unique code in a beacon that is linked to the license used.
WithSecure explains that this specific watermark often appears in connection with beacons and domains related to Black Basta attacks. The group behind these attacks appears to be collaborating with the ransomware gang as an IAB. Although there are no other known cases in which this specific watermark has been used, this does not mean that it has not been used elsewhere.
Researchers discovered several variants of KeeLoader that were signed with legitimate certificates. Criminals are spreading it via domain names that resemble KeePass. Examples include keeppaswrd[.]com, keegass[.]com, and KeePass[.]me. The website keeppaswrd[.]com is still active and continues to spread the infected installer, according to BleepingComputer.
In addition to spreading Cobalt Strike, the malicious KeePass version also contains functionality to steal entered passwords directly. According to WithSecure, KeeLoader has not only been modified to install malware. It has also been expanded with functions to extract data from KeePass databases. When the database is opened, data such as account names, usernames, passwords, websites, and comments are stored as a CSV file in the user’s local folder with a random filename ending in .kp.
The attack investigated by WithSecure ultimately led to the encryption of VMware ESXi servers with ransomware.
Extensive network
Further investigation revealed that the attackers built an extensive network to distribute malicious software. It posed as legitimate programs and created phishing pages to steal login credentials. The domain name aenys[.]com was used to host subdomains that imitated well-known companies and services. Examples include WinSCP, PumpFun, Phantom Wallet, Sallie Mae, Woodforest Bank, and DEX Screener.
Each of these fake websites served a different purpose: either spreading different malware variants or stealing user data.
WithSecure attributes this campaign with reasonable certainty to UNC4696, a hacker group previously linked to the so-called Nitrogen Loader campaigns. These campaigns are in turn linked to the BlackCat/ALPHV ransomware groups.
Users are strongly advised to only download software, especially sensitive applications such as password managers, from official websites. Even if an advertisement displays the correct web address, caution is advised. Cybercriminals have often demonstrated that they can manipulate advertisements so that they lead to fake websites, even though the URL displayed appears legitimate.
Also read: Chrome password manager loses millions of passwords