TZUTC: -0500   
   MSGID: 1135.consprcy@1:2320/105 2c91c471   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   Hackers are distributing a cracked password manager that steals data, deploys   
   ransomware   
      
   Date:   
   Tue, 20 May 2025 13:17:00 +0000   
      
   Description:   
   A tainted version of KeePass is making rounds so be careful what you're   
   downloading.   
      
   FULL STORY   
      
   Cybercriminals are distributing a tainted version of a popular password   
   manager, through which theyre able to steal data and deploy ransomware . This   
   is according to security researchers WithSecure Threat Intelligence, who   
   recently observed one such attack in the wild.    
      
   In an in-depth analysis published recently, the researchers said a client of   
   theirs downloaded what they thought was KeePass - a popular password manager.   
   They clicked on an ad from the Bing advertising network, and landed on a page   
   that looked exactly like the KeePass website.    
      
   The site, however, was a typosquatted version of the legitimate password   
   manager. Since KeePass is open-source, the attackers kept all of the   
   legitimate tools functionalities, but with a little extra Cobalt Strike on    
   the side.    
      
   Purview and Defender   
      
   The fake password manager exported all of the saved passwords in a cleartext   
   database, which was later relayed to the attackers through the Cobalt Strike   
   beacon. The attackers then used the login credentials to access the network   
   and deploy ransomware, which is when WithSecure was brought in.    
      
   WithSecure said that the campaign has the fingerprints of an initial access   
   broker (IAB), a type of hacking group that obtains access to organizations    
   and then sells it to other hacking collectives. This particular group is most   
   likely associated with Black Basta, an infamous ransomware operator, and is   
   now being tracked as UNC4696.    
      
   This group was previously linked to Nitrogen Loader campaigns,   
   BleepingComputer reported. Older Nitrogen campaigns were linked to the now   
   defunct BlackCat/ALPHV group.    
      
   So far, this was the only observed attack, but that doesnt mean there arent   
   others, WithSecure warns: "We are not aware of any other incidents    
   (ransomware or otherwise) using this Cobalt Strike beacon watermark  this    
   does not mean it has not occurred."    
      
   The typosquatted website thats hosting the malicious KeePass version was    
   still up and running at this time, and was still serving malware to   
   unsuspecting users. In fact, WithSecure said that behind the site was   
   extensive infrastructure, created to distribute all sorts of malware posing    
   as legitimate tools.    
      
    Via BleepingComputer   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/hackers-are-distributing-a-cracked-pass   
   word-manager-that-steals-data-deploys-ransomware   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 114 206 300 307 317 400 426 428   
   SEEN-BY: 229/470 664 700 705 266/512 291/111 320/219 322/757 342/200   
   SEEN-BY: 396/45 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426