Cybercriminals have been distributing malicious versions of the open-source KeePass password manager for at least eight months as part of a sophisticated campaign to steal credentials, deploy Cobalt Strike beacons, and ultimately launch ransomware attacks.
According to a new report from WithSecure's Threat Intelligence team, the campaign was uncovered during an investigation into a ransomware attack on a corporate network. The attackers used Bing ads to lure victims to fake KeePass download sites, where they unknowingly installed a trojanized version of the software. This attack resulted in the encryption of the victim’s VMware ESXi servers.
Dubbed KeeLoader, the malicious KeePass variant comes with all the original functionality but includes hidden modifications that can install a Cobalt Strike beacon, a known tool used for post-exploitation activities, and silently export the victim’s password database in plaintext.
WithSecure researchers found that the beacons in this campaign shared a unique watermark previously linked to Initial Access Brokers (IABs) associated with the Black Basta ransomware group.
The investigation also revealed that multiple KeeLoader variants had been signed with legitimate digital certificates and distributed via typo-squatting domains such as keeppaswrd[.]com, keegass[.]com, and KeePass[.]me. The malicious installers could capture credentials input into the application and exfiltrate KeePass databases in plain CSV format.
Threat actors have also created fake subdomains on aenys[.]com impersonating popular services like WinSCP, Phantom Wallet, Sallie Mae, and Woodforest Bank to distribute other malware or harvest credentials.
WithSecure attributes this campaign with moderate confidence to UNC4696, a threat actor previously linked to the Nitrogen Loader and BlackCat/ALPHV ransomware campaigns.
