Hackers Distribute Cracked Password Manager That Steals Data and Deploys Ransomware
Cybercriminals are using a clever tactic to trick users into installing malicious software on their devices. According to security researchers WithSecure Threat Intelligence, hackers are distributing a cracked version of a popular password manager that not only steals sensitive data but also deploys ransomware.
The Attack Explained
In an in-depth analysis published recently, the researchers revealed how a client downloaded what they thought was KeePass, a well-known password manager. The victim clicked on an ad from the Bing advertising network and landed on a page that looked identical to the legitimate KeePass website. However, the site was actually a typosquatted version of the real thing.
Since KeePass is an open-source tool, the attackers were able to keep all of its functionalities but with an added twist. They incorporated Cobalt Strike, a powerful hacking tool, into the fake password manager. The attackers then used the exported login credentials from the cleartext database to access the victim's network and deploy ransomware.
The Role of Initial Access Brokers
WithSecure warns that this campaign bears the fingerprints of an initial access broker (IAB), a type of hacking group that obtains access to organizations and then sells it to other hacking collectives. This particular group, UNC4696, is likely associated with Black Basta, an infamous ransomware operator.
The researchers note that this group has previously been linked to Nitrogen Loader campaigns, which were later connected to the now-defunct BlackCat/ALPHV group. WithSecure emphasizes that while this was the only observed attack, it does not mean there aren't others.
Consequences and Precautions
The malicious KeePass version was still up and running at the time of the analysis, serving malware to unsuspecting users. WithSecure warns that the site behind the typosquatted website had extensive infrastructure to distribute various types of malware posing as legitimate tools.
"We are not aware of any other incidents (ransomware or otherwise) using this Cobalt Strike beacon watermark – this does not mean it has not occurred," said WithSecure. Users should be cautious and monitor their online activities for suspicious activity. It is also essential to keep their software up-to-date and use reputable security tools.
Protecting Yourself
If you're a victim of this attack, don't panic. The first step is to change your passwords immediately and monitor your accounts for any suspicious activity. You can also consider using parental control software like Aura to filter, block, and monitor websites and apps, set screen time limits, receive breach alerts, Dark Web monitoring, VPN protection, and antivirus.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features, and guidance your business needs to succeed. Stay informed about cybersecurity threats like this one and learn how to protect yourself and your organization from falling victim to malware and ransomware attacks.