Security News Fake KeePass password manager leads to ESXi ransomware attack

Parkinsond

Parkinsond

Level 18
Thread author
Dec 6, 2023
889
Content source
https://www.bleepingcomputer.com/news/security/fake-keepass-password-manager-leads-to-esxi-ransomware-attack/
Threat actors have been distributing trojanized versions of the KeePass password manager for at least eight months to install Cobalt Strike beacons, steal credentials, and ultimately, deploy ransomware on the breached network.

WithSecure's Threat Intelligence team discovered the campaign after they were brought in to investigate a ransomware attack. The researchers found that the attack started with a malicious KeePass installer promoted through Bing advertisements that promoted fake software sites.

As KeePass is open source, the threat actors altered the source code to build a trojanized version, dubbed KeeLoader, that contains all the normal password management functionality. However, it includes modifications that install a Cobalt Strike beacon and export the KeePass password database as cleartext, which is then stolen through the beacon.
Click to expand...

www.bleepingcomputer.com

Fake KeePass password manager leads to ESXi ransomware attack

Threat actors have been distributing trojanized versions of the KeePass password manager for at least eight months to install Cobalt Strike beacons, steal credentials, and ultimately, deploy ransomware on the breached network.
www.bleepingcomputer.com www.bleepingcomputer.com

Once faced a similar scenario, but it was a new software never heared about before.
Kaspersky did not discover it by on-demand scan; only after complete install, system watcher declared the detection of ransomware.
It managed to remove, but the aftermath was beyond repair; re-installed Windows.
 
  • +Reputation
  • Like
  • Wow
Reactions: rashmi, piquiteco, Gandalf_The_Grey and 3 others
Jonny Quest

Jonny Quest

Level 25
Verified
Top Poster
Well-known
Mar 2, 2023
1,443
From the WithSecure PDF link in the article:

Defence Evasion
The way that KeeLoader, and KeeLoader’s previous variants, are implemented makes
them stealthy. The created binaries are almost identical to the legitimate versions,
with minimal modifications allowing for the nefarious functionality. The modified
executables and installer were also all signed with trusted signatures. Sandbox
detection is also difficult as the malicious functionality will only manifest once a
password database is opened in KeePass. Furthermore, when KeeLoader loads
a Cobalt Strike beacon, the loaded beacon is encrypted and only executed when
the backdoor is triggered manually. This reduces the chances of detection though
automated malware sandboxing.
Click to expand...
 
  • Like
Reactions: rashmi, piquiteco, Gandalf_The_Grey and 2 others

Similar threads

Gandalf_The_Grey
    • Like
Security News Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks
Replies
0
Views
871
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Captain Awesome
    • Like
Security News OneBlood confirms personal data stolen in July ransomware attack
Replies
1
Views
878
Security News
Vitali Ortzi
Vitali Ortzi
Gandalf_The_Grey
    • Like
Malware News RansomHub Never Sleeps Episode 1: The evolution of modern ransomware
Replies
0
Views
691
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top