- A malicious variant of Keepass is offered online
- The malware deploys an infosteller and a cobalt striking tag
- Cybercriminals use access to the deployment of ransomware
Cybercriminals distribute a contaminated version of a popular password manager, by which they are able to steal data and deploy ransomware. This is security researchers with information on threats, who have recently observed one of these attacks in the wild.
In a recently published in -depth analysis, the researchers said that one of their customers had downloaded what they thought was Keepass – a popular password manager. They clicked on an advertising network Bing advertising ad and landed on a page that exactly looked like the Keepass website.
The site, however, was a typosquatte version of the legitimate password manager. Since Keepass is open-source, the attackers kept all the features of the legitimate tool, but with a little additional cobalt strike on the side.
Salon and defender
The false password manager exported all the passwords recorded in a Cleartext database, which was then relayed to the attackers via the Cobalt typing tag. The attackers then used the connection identification information to access the network and deploy ransomware, that is to say at this time that Witsecure was brought.
Withsecure said the campaign has the fingerprints of an initial access broker (IAB), a type of hacking group that obtains access to organizations, then sells it to other hacking collectives. This particular group is most likely associated with Black Basta, an infamous Ransomware operator, and is now followed in UNC4696.
This group was previously linked to nitrogen charger campaigns, Bleeping Compompute reported. The older nitrogen campaigns were linked to the BlackCat / Alphv group now disappeared.
Until now, it was only the observed attack, but that does not mean that there are no others, warned by Secure: “We do not know any other incident (ransomware or other) using this cobalt striping water tank – that does not mean that it did not happen.”
The typosquatated website that hosts the malicious Keepass version was always operational at this time and still served malicious software for without mistrust. In fact, Withsecure said that behind the site was an extended infrastructure, created to distribute all kinds of malicious software posing as legitimate tools.
Via Bleeping Compompute
