{"id":3259,"date":"2025-05-21T11:51:37","date_gmt":"2025-05-21T11:51:37","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3259"},"modified":"2025-05-21T11:51:37","modified_gmt":"2025-05-21T11:51:37","slug":"trust-becomes-an-attack-vector-in-the-new-campaign-using-trojanized-keepass","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3259","title":{"rendered":"Trust becomes an attack vector in the new campaign using trojanized KeePass"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A known crew of cybercriminals has weaponized the widely used, open-source KeePass password manager with malware to steal passwords and lock down computers for ransom.<\/p>\n

Victims were tricked through Bing advertisements to install the trojanized software, KeeLoader, only to have their credentials siphoned and their systems hijacked, according to a WithSecure research.<\/p>\n

\u201cIn February 2025, WithSecure\u2019s Incident Response team responded to a ransomware attack,\u201c said WithSecure researchers in a report<\/a>. \u201dWhile performing analysis on the artifacts used in the attack, WithSecure Threat Intelligence (W\/TI) discovered a previously undocumented,trojanised malware loader being deployed to drop post-exploitation malware, and exfiltrate cleartext password manager databases.\u201c<\/p>\n

In a months-long campaign, threat actors were found using the modified KeePass, recompiled with trusted certificates, with normal password management features in addition to a Cobalt Strike beacon<\/a> exfiltrating password databases in cleartext.<\/p>\n

A familiar face with a hidden sting<\/h2>\n

It looked like KeePass, it acted like KeePass, but under the hood, KeeLoader was anything but. The trojanized installer was cleverly promoted through Bing ads, pointing to fake KeePass websites, luring unsuspecting users as legitimate software.<\/p>\n

\u201cThe malicious software was advertised online and waited for victims who believed it was a legitimate password manager,\u201d said Boris Cipot, senior security engineer at Black Duck. \u201cOnce a victim installed the malicious password manager, downloaded and deployed the Cobalt Strike tool for command and control, and exported the existing KeePass password database in clear text, the attackers gained access to networks, VPNs, and cloud services.\u201d<\/p>\n

It is essential to ensure uncompromised trust in software and to know the software you use, be it commercial or open source, know where it comes from and make sure that it is legit before you apply it to your own development or to your computer, Cipot added.<\/p>\n

WithSecure said that the Cobalt Strike watermarks used in this campaign are linked to an IAB that is believed to be associated with Black Basta<\/a> ransomware attacks in the past.<\/p>\n

WithSecure\u2019s Incident Response team was called in after ransomware encrypted VMware ESXi datastores at a European IT provider. The attackers had used stolen KeePass credentials to access hypervisors directly, bypassing individual VMs and launching a fast-moving, wide-scale attack.<\/p>\n

Identity is the new perimeter<\/h2>\n

Once KeeLoader stole vault credentials-often including domain admin, vSphere, and backup service account\u2013attackers moved fast. Using SSH, RDP, and SMB protocols, they quietly seized control of jump servers, escalated privileges, disabled multifactor authentication, and pushed ransomware payloads directly to VMware ESXi hypervisors.<\/p>\n

Jason Soroko of Sectigo called it a \u201ctextbook identity attack.\u201d \u201cBy turning a trusted password safe into a credential harvesting mechanism, the adversary harvested domain admin passwords, vSphere root keys and service-account secrets that function as the organization\u2019s digital identities,\u201d he said. \u201cThose stolen identities negated perimeter controls, neutralized Veeam backups and enabled hypervisor-level ransomware deployment.\u201d<\/p>\n

The attack wasn\u2019t just about malware. As Rom Carmel, co-founder and CEO at Apono, noted, \u201cIt hinged on identity and credential compromise.\u201d<\/p>\n

\u201cBy trojanizing KeePass, attackers gained access to a trove of stored credentials, including admin accounts, service accounts, and API keys, giving them the ability to move laterally and escalate privileges,\u201d Carmel said. \u201cThe lesson learned: this breach highlights how unmanaged credentials and overprivileged identities, both human and non-human, are prime targets and key enablers in modern ransomware campaigns.\u201d<\/p>\n

<\/a>Open source: the double-edged sword<\/h2>\n

This campaign also highlights the risks of trusting open-source software\u2013or more precisely, the wrong source of it. KeePass itself wasn\u2019t the problem,\u00a0 the ecosystem around it was. \u201cThis case touches on open-source usage and our trust in false advertizing,\u201d Cipot added.<\/p>\n

Patrick Tiquet of Keeper Security echoed the concern. \u201cThis incident highlights a critical risk in relying on open-source applications, especially when downloading them from unofficial or unverified sources,\u201d he said. \u201cWhile open-source software can offer flexibility and transparency, it also presents unique attack surfaces.\u201d<\/p>\n

Experts agreed on the remedy: treat software acquisition like identity, with verification. That means downloading from official sources, layering defenses like EDR and PAM, and enforcing zero-trust and zero-knowledge architectures wherever credentials are involved.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A known crew of cybercriminals has weaponized the widely used, open-source KeePass password manager with malware to steal passwords and lock down computers for ransom. Victims were tricked through Bing advertisements to install the trojanized software, KeeLoader, only to have their credentials siphoned and their systems hijacked, according to a WithSecure research. \u201cIn February 2025, […]<\/p>\n","protected":false},"author":0,"featured_media":3260,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3259","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3259"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3259"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3259\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3260"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3259"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3259"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3259"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}