- A malicious variant of KeePass is being offered online
- The malware deploys an infostealer and a Cobalt Strike beacon
- The cybercriminals are using the access to deploy ransomware
Cybercriminals are distributing a tainted version of a popular password manager, through which they’re able to steal data and deploy ransomware. This is according to security researchers WithSecure Threat Intelligence, who recently observed one such attack in the wild.
In an in-depth analysis published recently, the researchers said a client of theirs downloaded what they thought was KeePass – a popular password manager. They clicked on an ad from the Bing advertising network, and landed on a page that looked exactly like the KeePass website.
The site, however, was a typosquatted version of the legitimate password manager. Since KeePass is open-source, the attackers kept all of the legitimate tool’s functionalities, but with a little extra Cobalt Strike on the side.
Purview and Defender
The fake password manager exported all of the saved passwords in a cleartext database, which was later relayed to the attackers through the Cobalt Strike beacon. The attackers then used the login credentials to access the network and deploy ransomware, which is when WithSecure was brought in.
WithSecure said that the campaign has the fingerprints of an initial access broker (IAB), a type of hacking group that obtains access to organizations and then sells it to other hacking collectives. This particular group is most likely associated with Black Basta, an infamous ransomware operator, and is now being tracked as UNC4696.
This group was previously linked to Nitrogen Loader campaigns, BleepingComputer reported. Older Nitrogen campaigns were linked to the now defunct BlackCat/ALPHV group.
So far, this was the only observed attack, but that doesn’t mean there aren’t others, WithSecure warns: “We are not aware of any other incidents (ransomware or otherwise) using this Cobalt Strike beacon watermark – this does not mean it has not occurred.”
The typosquatted website that’s hosting the malicious KeePass version was still up and running at this time, and was still serving malware to unsuspecting users. In fact, WithSecure said that behind the site was extensive infrastructure, created to distribute all sorts of malware posing as legitimate tools.
Via BleepingComputer
Leave a comment