{"id":34577,"date":"2025-05-28T17:55:56","date_gmt":"2025-05-28T15:55:56","guid":{"rendered":"https:\/\/www.kaspersky.co.za\/blog\/trojan-password-manager-keepass-lessons\/34577\/"},"modified":"2025-05-28T17:55:56","modified_gmt":"2025-05-28T15:55:56","slug":"trojan-password-manager-keepass-lessons","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/trojan-password-manager-keepass-lessons\/34577\/","title":{"rendered":"Lessons learned from the trojanized KeePass incident"},"content":{"rendered":"

A user wanted to safeguard their passwords, but inadvertently let attackers into their organization. This unexpected outcome<\/a> has been documented in a recent investigation into a ransomware attack \u2014 an incident that began when an employee decided to download the popular password manager KeePass. A key detail, though, is that they visited a fake website. KeePass is an open-source project, so the attackers had no trouble copying it, modifying it, and adding malicious features. They then recompiled the application and distributed it through fake websites, which they promoted via legitimate online advertising systems<\/a>.<\/p>\n

What the fake KeePass was up to<\/h2>\n

The malicious campaign<\/a> lasted at least eight months, starting in mid-2024. The attackers set up fake websites that mimicked the official KeePass site and used malvertising<\/a> to redirect users who were searching for KeePass to domains with convincing names like keeppaswrd, keebass<\/em>, and KeePass-download<\/em>.<\/p>\n

If the victim downloaded KeePass from a fake site, the password manager would function as expected, but it would also save all passwords from the currently open database to an unencrypted text file and install a Cobalt Strike beacon<\/a> on the system. This is a tool that can be used both to assess an organization\u2019s security and to conduct real cyberattacks.<\/p>\n

With Cobalt Strike, the attackers were able not only to steal exported passwords, but also use them to compromise additional systems and ultimately encrypt the organization\u2019s ESXi servers.<\/p>\n

While searching for traces of this attack online, researchers discovered five different trojanized modifications of KeePass. Some of these were simpler: they immediately uploaded stolen passwords to the attackers\u2019 server.<\/p>\n

High-stealth malware<\/h2>\n

There\u2019s nothing new about slipping malware to a victim along with legitimate software<\/a>. Usually, however, attackers simply add malicious files to the installation package, so security solutions (if present) on the computer easily detect these. The fake KeePass attack was much more carefully planned and better concealed from security tools.<\/p>\n

All fake KeePass installation packages were signed with a valid digital signature, so they didn\u2019t trigger any alarming warnings in Windows. The five newly discovered distributions had certificates issued by four different software companies. The legitimate KeePass is signed with a different certificate, but few people bother to check what the Publisher<\/em> line says in Windows warnings.<\/p>\n

The Trojan functions were hidden inside the application\u2019s core logic, and they only ran when the user opened a password database. In other words, the application would first start as usual, prompt the user to select a database and enter its master password, and only then begin performing actions that security mechanisms might consider suspicious. This makes it harder for sandboxes and other analysis tools that detect abnormal application behavior to spot the attack.<\/p>\n

Not just KeePass<\/h2>\n

While investigating malicious websites distributing trojanized versions of KeePass, the researchers discovered related sites hosted on the same domain. The sites advertised other legitimate software, including the secure file manager WinSCP and several cryptocurrency tools. These were modified less extensively and simply installed known malware called Nitrogen Loader on victims\u2019 systems.<\/p>\n

This suggests that the trojanized KeePass was created by initial access brokers. These criminals steal passwords and other confidential information to find entry points into corporate computer networks and then sell the access to other malicious actors \u2014 usually ransomware gangs.<\/p>\n

A threat to everyone<\/h2>\n

Distributors of password-stealing malware indiscriminately target any unsuspecting user. The criminals analyze any passwords, financial data, or other valuable information they manage to steal, sort it into categories, and sell whatever is needed to other cybercriminals for their underground operations. Ransomware operators will buy credentials for corporate networks, scammers will purchase personal data and bank card numbers, and spammers will acquire login details for social media or gaming accounts.<\/p>\n

That\u2019s why the business model for stealer distributors is to grab anything they can get their hands on and use all kinds of lures to spread their malware. Trojans can be hidden inside any type of software \u2014 from games and password managers to specialized applications for accountants or architects.<\/p>\n

How to protect your home computer<\/h2>\n

Download applications from the vendor\u2019s official website or major app stores only.<\/p>\n

Pay attention to digital signatures. When you launch a program you\u2019ve never downloaded before, Windows displays a warning with the name of the digital signature owner in the Publisher<\/em> field. Make sure that this matches the real developer\u2019s information. When in doubt, check the information on the official website.<\/p>\n

Be cautious of search ads. When you search for the name of an application, carefully review the first four or five results, but ignore the ads. The developer\u2019s official website is typically one of those results. If you\u2019re not sure which result leads to the official website, it\u2019s best to double-check the address via major app stores or even on Wikipedia.<\/p>\n

Be sure to use comprehensive security software, such as Kaspersky Premium<\/a>, on all your computers and smartphones. This will protect you from being infected by most types of malware and stop you visiting dangerous websites.<\/p>\n

Don\u2019t shun password managers! Although a popular password manager was used in a sophisticated attack, the idea of securely storing important data in encrypted form is more relevant than ever. Subscriptions to Kaspersky Plus<\/a> and Kaspersky Premium<\/a> include Kaspersky Password Manager<\/a>, which lets you securely store your credentials.<\/p>\n

How to protect your organization from infostealers and initial access brokers<\/h2>\n

Using legitimate credentials in attacks is one of the most popular tactics among cybercriminals. To make it harder to steal and use corporate accounts, follow the advice for organizations on combating infostealers<\/a>.<\/p>\n

To repel trojanized software that can give attackers direct access to your network, we additionally recommend the following measures:<\/p>\n