Fake KeePass password manager leads to ESXi ransomware attack

Parkinsond

Parkinsond

Level 62
Thread author
Verified
Well-known
Dec 6, 2023
5,188
14,807
6,069
Content source
https://www.bleepingcomputer.com/news/security/fake-keepass-password-manager-leads-to-esxi-ransomware-attack/
Threat actors have been distributing trojanized versions of the KeePass password manager for at least eight months to install Cobalt Strike beacons, steal credentials, and ultimately, deploy ransomware on the breached network.

WithSecure's Threat Intelligence team discovered the campaign after they were brought in to investigate a ransomware attack. The researchers found that the attack started with a malicious KeePass installer promoted through Bing advertisements that promoted fake software sites.

As KeePass is open source, the threat actors altered the source code to build a trojanized version, dubbed KeeLoader, that contains all the normal password management functionality. However, it includes modifications that install a Cobalt Strike beacon and export the KeePass password database as cleartext, which is then stolen through the beacon.
Click to expand...

www.bleepingcomputer.com

Fake KeePass password manager leads to ESXi ransomware attack

Threat actors have been distributing trojanized versions of the KeePass password manager for at least eight months to install Cobalt Strike beacons, steal credentials, and ultimately, deploy ransomware on the breached network.
www.bleepingcomputer.com www.bleepingcomputer.com

Once faced a similar scenario, but it was a new software never heared about before.
Kaspersky did not discover it by on-demand scan; only after complete install, system watcher declared the detection of ransomware.
It managed to remove, but the aftermath was beyond repair; re-installed Windows.
 
  • +Reputation
  • Like
  • Wow
Reactions: rashmi, piquiteco, Gandalf_The_Grey and 3 others
From the WithSecure PDF link in the article:

Defence Evasion
The way that KeeLoader, and KeeLoader’s previous variants, are implemented makes
them stealthy. The created binaries are almost identical to the legitimate versions,
with minimal modifications allowing for the nefarious functionality. The modified
executables and installer were also all signed with trusted signatures. Sandbox
detection is also difficult as the malicious functionality will only manifest once a
password database is opened in KeePass. Furthermore, when KeeLoader loads
a Cobalt Strike beacon, the loaded beacon is encrypted and only executed when
the backdoor is triggered manually. This reduces the chances of detection though
automated malware sandboxing.
Click to expand...
 
  • Like
Reactions: rashmi, piquiteco, Gandalf_The_Grey and 2 others
You must log in or register to reply here.

You may also like...