Fake KeePass password manager leads to ESXi ransomware attack www.bleepingcomputer.com/news/secu…

Threat actors have been distributing trojanized versions of the KeePass password manager for at least eight months to install Cobalt Strike beacons, steal credentials, and ultimately, deploy ransomware on the breached network.

WithSecure’s Threat Intelligence team discovered the campaign after they were brought in to investigate a ransomware attack. The researchers found that the attack started with a malicious KeePass installer promoted through Bing advertisements that promoted fake software sites.

As KeePass is open source, the threat actors altered the source code to build a trojanized version, dubbed KeeLoader, that contains all the normal password management functionality. However, it includes modifications that install a Cobalt Strike beacon and export the KeePass password database as cleartext, which is then stolen through the beacon.

WithSecure says that the Cobalt Strike watermarks used in this campaign are linked to an initial access broker (IAB) that is believed to be associated with Black Basta ransomware attacks in the past.