WithSecure's Threat Intelligence team uncovered a campaign involving malicious KeePass installers while investigating a ransomware incident.

For at least eight months, threat actors have been distributing fake versions of the KeePass password manager, leading to significant ransomware attacks.

These malicious KeeLoader variants have been signed with legitimate certificates and distributed through typo-squatting domains, such as keeppaswrd[.]com.

BleepingComputer confirmed that the keeppaswrd[.]com site remains active, continuing to distribute the trojanized installer.

The trojanized KeeLoader was created by modifying KeePass's open-source code to incorporate Cobalt Strike beacons and password-stealing capabilities.

Further investigation revealed a broader infrastructure designed to distribute malware disguised as legitimate tools, alongside phishing pages aimed at credential theft.

KeeLoader exports KeePass database information in cleartext, including sensitive account details, which are then stolen via the Cobalt Strike beacon.

This malicious KeePass program not only installs Cobalt Strike beacons but also facilitates the exfiltration of sensitive password data.

The Cobalt Strike watermarks used in this campaign are linked to an initial access broker associated with previous Black Basta ransomware attacks.

WithSecure attributes this malicious activity with moderate confidence to UNC4696, a threat actor group linked to earlier Nitrogen Loader campaigns.

Users are advised to download sensitive software like password managers only from legitimate sources to avoid malicious downloads from advertisement-linked sites.

The ransomware attack investigated by WithSecure resulted in the encryption of a company's VMware ESXi servers.