Hackers Weaponize KeePass Password Manager
a year ago
- #cybersecurity
- #KeePass
- #malware
- Threat actors exploited KeePass to spread malware and steal passwords.
- Attack involved modified KeePass installers with trusted certificates delivering KeeLoader malware.
- Malvertising campaigns on search engines directed users to fake KeePass download pages.
- Modified KeePass software exfiltrated user credentials and deployed a Cobalt Strike beacon.
- KeeLoader modifies KeePass executable files for malicious functionality.
- Malware sets up an autorun registry key for persistence and stealth.
- Cobalt Strike beacon masquerades as a JPG file using RC4 encryption.
- Malware extracts KeePass database info, saving it in CSV format locally.
- Attack infrastructure linked to a notorious Initial Access Broker (IAB).
- Attackers used Namecheap, Cloudflare, and legitimate certificates for malware signing.
- Campaign shows shift towards more sophisticated and stealthy malware droppers.
- Overlap with tactics of ransomware groups like Black Basta and BlackCat.
- Discrepancies in ransom notes complicate attribution, suggesting 'as-a-service' operations.
- Incident highlights persistent ransomware threats and underground cyber tools market.
- Indicators of Compromise (IOC) include malicious URLs, domains, files, and certificates.