- A malicious keepass variant is offered online
- Malware displays an infant infant
- Cybercriminals are using access to ransomware implementation
Cybercriminals are distributing a contaminated version of a popular password administrator, through which they can steal data and implement ransomware. This is according to security researchers with security threat intelligence, who recently observed one of those attacks in nature.
In an in -depth analysis published recently, the researchers said that a client of his downloaded what they thought was Keepass, a popular password administrator. They clicks on an advertisement of the Bing Advertising Network and landed on a page that looked exactly to the Keepass website.
The site, however, was a typographic version of the legitimate password administrator. Since Keepass is open source, the attackers maintained all the features of the legitimate tool, but with a bit of extra cobalt attack aside.
Scope and defender
Fake Password Manager exported all passwords saved in a Clearext database, which was then transmitted to the attackers through Cobalt Strike Beacon. Then, the attackers used the login credentials to access the network and implement ransomware, which is when security was brought.
Withsecure said the campaign has the digital footprints of an initial access corridor (IAB), a type of piracy group that obtains access to organizations and then sells it to other piracy groups. This particular group is probably associated with Black Enough, an infamous ransomware operator, and is now tracking as UNC4696.
This group was previously linked to nitrogen charger campaigns, Bleepingcomputer reported. The oldest nitrogen campaigns were linked to the Blackcat/Alphv group now missing.
Until now, this was the only observed attack, but that does not mean that there are no others, With Secure warns: “We are not aware of any other incident (ransomware or other other) using this Beacon water brand of Cobalt Strike, this does not mean that it has not happened.”
The typographic website that houses the Malicious Keepass version was still operational at this time, and was still serving malware for unsuspecting users. In fact, Withsecure said that behind the site there was an extensive infrastructure, created to distribute all types of malware that posed as legitimate tools.
Through Bleepingcomputer
