Threat actors have successfully exploited the widely-used open-source password manager, KeePass, to spread malware and facilitate large-scale password theft.
The attack, which was reported by WithSecure’s Incident Response team, involved modifying and re-signing KeePass installers with trusted certificates to deliver a custom malware loader dubbed KeeLoader.
Malware Delivery Through KeePass
The infection chain began with malvertising campaigns on popular search engines like Bing and DuckDuckGo, directing users to fraudulent download pages masquerading as official KeePass sites.
.png
)
Once installed, the modified KeePass software included components designed not only to manage passwords but also to exfiltrate user credentials.
KeeLoader, as analyzed by WithSecure, modifies KeePass’s executable files, namely KeePass.exe and ShInstUtil.exe, to incorporate malicious functionality.
Upon installation, this trojanized version of KeePass sets up an autorun registry key, ensuring persistence and stealthily deploying a Cobalt Strike beacon.
This beacon masquerades as a legitimate JPG file, using RC4 encryption for concealment, and is triggered only when a password database is accessed, evading conventional sandbox detection.
Credential Theft and Data Exfiltration
The malware systematically extracts KeePass database information, including account details and passwords, saving these in CSV format locally under a random integer filename.
According to the Report, this method implies a manual retrieval mechanism, likely through the activated Cobalt Strike beacon, reducing the digital footprint of the attack.
The campaign’s infrastructure revealed connections to a notorious Initial Access Broker (IAB), linked to several high-profile ransomware attacks over the past two years.
The attackers utilized a sophisticated mix of domain registration on Namecheap, hosting on Cloudflare, and leveraging legitimate certificates to sign their malware, employing a three-month validity span for HTTPS certificates from Google Trust Services.
This attack underscores the effectiveness of malvertising in the cybercriminal toolkit, showcasing a shift towards more technically sophisticated and stealthier malware droppers.
The continuous development of KeePass trojans indicates a trend towards simultaneous network access compromise and digital identity theft, contributing to an ever-growing ransomware ecosystem.
The overlap with tactics of known ransomware groups like Black Basta and BlackCat, coupled with the usage of initial access malware, malvertising, and custom loaders, suggests a well-connected and resourced operation.
However, discrepancies, such as the ransom note mimicking Akira ransomware but with unique identifiers, complicate attribution attempts, pointing towards potential “as-a-service” operations or actors operating independently.
This incident reveals the persistent threat from ransomware, exacerbated by a robust underground market for cyber tools and services.
The continuous evolution of attack vectors, especially through trusted software like KeePass, necessitates enhanced vigilance and advanced detection capabilities across the cybersecurity industry.
Indicators of Compromise (IOC):
| Type | Value |
|---|---|
| Malicious URLs | hxxps://lvshilc[.]com/KeePass-2.56-Setup.exe, hxxps://keeppaswrd[.]com/download.php, … |
| Malicious Domains | KeePass-info[.]aenys[.]com, keeppaswrd[.]com, lvshilc[.]com, … |
| Malicious Files | KeePass-2.56-Setup.exe (SHA256: 0000cff6a3c7f7eebc0edc3d1e42e454ebb675e57d6fc1fd968952694b1b44b3), … |
| Certificates | Certificate names and thumbprints used in signing the malware, … |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
