1. Forum
  2. FidoNet
  3. CONSPRCY

  • Hackers are distributing

    From Mike Powell@1:2320/105 to All on Tue May 20 08:55:00 2025
    Hackers are distributing a cracked password manager that steals data, deploys ransomware

    Date:
    Tue, 20 May 2025 13:17:00 +0000

    Description:
    A tainted version of KeePass is making rounds so be careful what you're downloading.

    FULL STORY

    Cybercriminals are distributing a tainted version of a popular password manager, through which theyre able to steal data and deploy ransomware . This is according to security researchers WithSecure Threat Intelligence, who recently observed one such attack in the wild.

    In an in-depth analysis published recently, the researchers said a client of theirs downloaded what they thought was KeePass - a popular password manager. They clicked on an ad from the Bing advertising network, and landed on a page that looked exactly like the KeePass website.

    The site, however, was a typosquatted version of the legitimate password manager. Since KeePass is open-source, the attackers kept all of the
    legitimate tools functionalities, but with a little extra Cobalt Strike on
    the side.

    Purview and Defender

    The fake password manager exported all of the saved passwords in a cleartext database, which was later relayed to the attackers through the Cobalt Strike beacon. The attackers then used the login credentials to access the network
    and deploy ransomware, which is when WithSecure was brought in.

    WithSecure said that the campaign has the fingerprints of an initial access broker (IAB), a type of hacking group that obtains access to organizations
    and then sells it to other hacking collectives. This particular group is most likely associated with Black Basta, an infamous ransomware operator, and is
    now being tracked as UNC4696.

    This group was previously linked to Nitrogen Loader campaigns,
    BleepingComputer reported. Older Nitrogen campaigns were linked to the now defunct BlackCat/ALPHV group.

    So far, this was the only observed attack, but that doesnt mean there arent others, WithSecure warns: "We are not aware of any other incidents
    (ransomware or otherwise) using this Cobalt Strike beacon watermark this
    does not mean it has not occurred."

    The typosquatted website thats hosting the malicious KeePass version was
    still up and running at this time, and was still serving malware to unsuspecting users. In fact, WithSecure said that behind the site was
    extensive infrastructure, created to distribute all sorts of malware posing
    as legitimate tools.

    Via BleepingComputer

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/hackers-are-distributing-a-cracked-pass word-manager-that-steals-data-deploys-ransomware

    $$
    --- SBBSecho 3.20-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)