Skip to main content

Overview

A recent cybersecurity incident has highlighted the dangers of downloading software from untrusted sources. Threat actors have been distributing a malicious version of the KeePass password manager through deceptive online advertisements.  A password manager is a tool that securely stores and manages your passwords in an encrypted vault. You only need to remember one master password to access all others.

This counterfeit software, once installed, leads to the deployment of ransomware on affected systems, specifically targeting VMware ESXi servers, which is a hypervisor that allows multiple virtual machines (VMs) to run on a single physical server.

Details

  • Distribution Method: The malicious KeePass installer was promoted on the Bing search engine with advertisements that directed people to fake software websites.
  • Malicious Payload: The trojanised KeePass, dubbed ‘KeeLoader’, has kept all standard functions of the software but was changed to install a Cobalt Strike beacon and export the KeePass password database in cleartext.

Recommendations

To protect against such threats, individuals and organisations are recommended to:

  1. Download software only from official sources:
    • Always obtain software directly from the official website or reputable platforms.
    • Be especially cautious of or avoid advertisements or third-party sites offering software downloads.
  2. Verify URLs carefully:
    • Check for subtle misspellings or unusual characters in URLs that may indicate a fraudulent site.

  3. Ensure that you have strong security measures:
    • Use reputable antivirus and anti-malware solutions.
    • Keep all systems and software up to date with the latest security patches.

This incident underscores the critical importance of downloading software exclusively from legitimate and trusted sources. Cyber-criminals are increasingly sophisticated in their methods, using deceptive advertisements and counterfeit websites to distribute malicious software.

If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.

Topics

  • Advisory