Lessons learned from the trojanized KeePass incident

[harlan4096]

A popular password manager was modified to allow attackers to steal passwords and encrypt users’ data. How to protect home computers and corporate systems from this threat?
 
A user wanted to safeguard their passwords, but inadvertently let attackers into their organization. This unexpected outcome has been documented in a recent investigation into a ransomware attack — an incident that began when an employee decided to download the popular password manager KeePass. A key detail, though, is that they visited a fake website. KeePass is an open-source project, so the attackers had no trouble copying it, modifying it, and adding malicious features.

They then recompiled the application and distributed it through fake websites, which they promoted via legitimate online advertising systems.

What the fake KeePass was up to

The malicious campaign lasted at least eight months, starting in mid-2024. The attackers set up fake websites that mimicked the official KeePass site and used malvertising to redirect users who were searching for KeePass to domains with convincing names like keeppaswrd, keebass, and KeePass-download.

If the victim downloaded KeePass from a fake site, the password manager would function as expected, but it would also save all passwords from the currently open database to an unencrypted text file and install a Cobalt Strike beacon on the system. This is a tool that can be used both to assess an organization’s security and to conduct real cyberattacks.

With Cobalt Strike, the attackers were able not only to steal exported passwords, but also use them to compromise additional systems and ultimately encrypt the organization’s ESXi servers.

While searching for traces of this attack online, researchers discovered five different trojanized modifications of KeePass. Some of these were simpler: they immediately uploaded stolen passwords to the attackers’ server.

Continue Reading...