Ddos 
Recently, WithSecure’s Threat Intelligence team uncovered a sophisticated malware campaign where the open-source password manager KeePass was trojanised to deliver Cobalt Strike payloads and exfiltrate sensitive credentials.
“This was not only an undocumented malware loader, it was also the first example we had observed in open-source reporting of a trojanised password manager… being used simultaneously as a loader and credential stealing tool,” the report warned.
The compromised KeePass installer—identified as KeePass-2.56-Setup.exe—was delivered through malvertising campaigns that lured users to download from fake lookalike domains. The executable was signed with valid certificates and mimicked the behavior of the real KeePass installer, making detection extremely difficult.
Once executed, the malware (referred to by WithSecure as KeeLoader) dropped two modified executables (KeePass.exe and ShInstUtil.exe) into the user directory and set up a registry-based persistence mechanism. A malicious file (db.idx), encrypted and masquerading as a JPG, was decrypted in memory using a custom loader and executed as a Cobalt Strike beacon.
While KeePass appeared to function normally, it secretly logged credentials from the database and exported them to .kp files: “Account, login name, password, website, and comments information is also exported in CSV format under %localappdata% as <RANDOM_INTEGER>.kp.”
The attack infrastructure was extensive:
- Fake KeePass domains like keeppaswrd[.]com, keegass[.]com, and KeePass[.]me
- Malvertising through Bing and DuckDuckGo search ads
- Redirect chains through multiple fake domains
- SSL certificates from providers like NameCheap, mimicking legitimate KeePass signing
The campaign evolved over multiple versions, with increasing stealth and complexity: “The created binaries are almost identical to the legitimate versions… malicious functionality will only manifest once a password database is opened.”
Although attribution remains challenging due to the use of Loader-as-a-Service and Bulletproof Hosting, WithSecure found overlapping Cobalt Strike watermarks linked to ransomware groups such as Black Basta and BlackCat. The ransom note resembled that of Akira ransomware but included contact via onionmail, suggesting a possible attempt to go “solo” by a former affiliate: “This is unusual… a realistic possibility that the threat actor was previously working in a Ransomware-as-a-Service franchise, but in this case, attempted to ‘go solo.’”
WithSecure concludes that the campaign was likely orchestrated by a highly resourced Initial Access Broker operating within the ransomware ecosystem.
“If ransomware can be likened to a weed… the ‘as-a-service’ ecosystem that underpins many ransomware events can be equated to the roots, ensuring continual persistence and propagation.”
Organizations are urged to verify hashes before installation, avoid unofficial download sources, and closely monitor software behavior—even for known applications.
Related Posts:
- Beware the Malvertising: Fake KeePass Site Deceives via Google Ads
- Flaw could let attackers dump the master password from KeePass’s memory
- Excel File Unleashes Sophisticated Cobalt Strike Cyberattack
- The Cobalt hacker group is still active, although the leader was arrested
- Cyberattackers Unleash LockBit Ransomware Using Cobalt Strike and Proxy Tools
Donate