Beware of the fake KeePass | Kaspersky official blog

Beware of the fake KeePass | Kaspersky official blog

/in

A user wanted to safeguard their passwords, but inadvertently let attackers into their organization. This unexpected outcome has been documented in a recent investigation into a ransomware attack — an incident that began when an employee decided to download the popular password manager KeePass. A key detail, though, is that they visited a fake website. KeePass is an open-source project, so the attackers had no trouble copying it, modifying it, and adding malicious features. They then recompiled the application and distributed it through fake websites, which they promoted via legitimate online advertising systems.

What the fake KeePass was up to

The malicious campaign lasted at least eight months, starting in mid-2024. The attackers set up fake websites that mimicked the official KeePass site and used malvertising to redirect users who were searching for KeePass to domains with convincing names like keeppaswrd, keebass, and KeePass-download.

If the victim downloaded KeePass from a fake site, the password manager would function as expected, but it would also save all passwords from the currently open database to an unencrypted text file and install a Cobalt Strike beacon on the system. This is a tool that can be used both to assess an organization’s security and to conduct real cyberattacks.

With Cobalt Strike, the attackers were able not only to steal exported passwords, but also use them to compromise additional systems and ultimately encrypt the organization’s ESXi servers.

While searching for traces of this attack online, researchers discovered five different trojanized modifications of KeePass. Some of these were simpler: they immediately uploaded stolen passwords to the attackers’ server.

High-stealth malware

There’s nothing new about slipping malware to a victim along with legitimate software. Usually, however, attackers simply add malicious files to the installation package, so security solutions (if present) on the computer easily detect these. The fake KeePass attack was much more carefully planned and better concealed from security tools.

All fake KeePass installation packages were signed with a valid digital signature, so they didn’t trigger any alarming warnings in Windows. The five newly discovered distributions had certificates issued by four different software companies. The legitimate KeePass is signed with a different certificate, but few people bother to check what the Publisher line says in Windows warnings.

The Trojan functions were hidden inside the application’s core logic, and they only ran when the user opened a password database. In other words, the application would first start as usual, prompt the user to select a database and enter its master password, and only then begin performing actions that security mechanisms might consider suspicious. This makes it harder for sandboxes and other analysis tools that detect abnormal application behavior to spot the attack.

Not just KeePass

While investigating malicious websites distributing trojanized versions of KeePass, the researchers discovered related sites hosted on the same domain. The sites advertised other legitimate software, including the secure file manager WinSCP and several cryptocurrency tools. These were modified less extensively and simply installed known malware called Nitrogen Loader on victims’ systems.

This suggests that the trojanized KeePass was created by initial access brokers. These criminals steal passwords and other confidential information to find entry points into corporate computer networks and then sell the access to other malicious actors — usually ransomware gangs.

A threat to everyone

Distributors of password-stealing malware indiscriminately target any unsuspecting user. The criminals analyze any passwords, financial data, or other valuable information they manage to steal, sort it into categories, and sell whatever is needed to other cybercriminals for their underground operations. Ransomware operators will buy credentials for corporate networks, scammers will purchase personal data and bank card numbers, and spammers will acquire login details for social media or gaming accounts.

That’s why the business model for stealer distributors is to grab anything they can get their hands on and use all kinds of lures to spread their malware. Trojans can be hidden inside any type of software — from games and password managers to specialized applications for accountants or architects.

How to protect your home computer

Download applications from the vendor’s official website or major app stores only.

Pay attention to digital signatures. When you launch a program you’ve never downloaded before, Windows displays a warning with the name of the digital signature owner in the Publisher field. Make sure that this matches the real developer’s information. When in doubt, check the information on the official website.

Be cautious of search ads. When you search for the name of an application, carefully review the first four or five results, but ignore the ads. The developer’s official website is typically one of those results. If you’re not sure which result leads to the official website, it’s best to double-check the address via major app stores or even on Wikipedia.

Be sure to use comprehensive security software, such as Kaspersky Premium, on all your computers and smartphones. This will protect you from being infected by most types of malware and stop you visiting dangerous websites.

Don’t shun password managers! Although a popular password manager was used in a sophisticated attack, the idea of securely storing important data in encrypted form is more relevant than ever. Subscriptions to Kaspersky Plus and Kaspersky Premium include Kaspersky Password Manager, which lets you securely store your credentials.

How to protect your organization from infostealers and initial access brokers

Using legitimate credentials in attacks is one of the most popular tactics among cybercriminals. To make it harder to steal and use corporate accounts, follow the advice for organizations on combating infostealers.

To repel trojanized software that can give attackers direct access to your network, we additionally recommend the following measures:

  • Restricting the download and execution of untrusted software using application allowlists. Suitable criteria for allowlisting include “applications from a specific vendor” and applications signed with a specific certificate. The latter option would have helped in the KeePass case and blocked the known application signed with an unauthorized certificate.
  • Implementing a centralized approach to monitoring and response, which includes installing endpoint detection and response (EDR) sensors on every workstation and server, and analyzing the resulting telemetry with SIEM or XDR solutions. Kaspersky Next XDR Expert is well-suited to providing a comprehensive solution to this challenge.
  • Expanding employee training. In addition to being vigilant about phishing, it’s important to train your team to recognize fake software, malicious ads, and other social engineering techniques. The Kaspersky Automated Security Awareness platform can help with this.

Kaspersky official blog – ​Read More