The dangerous malicious code under the password management software shell to deceive users and attack the system.

Lưu Tuấn AnhLưu Tuấn Anh
3 min read

Overview

Recently, the FPT Threat Intelligence team has recorded a series of dangerous cyberattacks targeting VMware ESXi server systems. Hackers have created fake KeePass websites using Punycode techniques to generate domains that look identical to the official KeePass domain. These websites are promoted through Google Ads campaigns, making them appear high in search results, tricking users into downloading malware instead of the legitimate KeePass version.

When users install and use these fake password managers, hackers launch Cobalt Strike attacks, steal credentials, and eventually deploy ransomware on the compromised network. Experts have found several websites distributing fake password managers such as keeppaswrd[.]com, keegass[.]com, and KeePass[.]me.

Campaign Objective

  • Steal internal credentials

  • Establish covert entry points using Cobalt Strike

  • Pave the way for other destructive activities like ransomware (especially ESXi)

Campaign Details

  1. Distributed via malicious ads and fake domains

    • Initially, hackers used malicious ad campaigns on search engines to direct users to fake KeePass websites, such as keeppaswrd[.]com, keegass[.]com, and KeePass[.]me. Here, users are encouraged to download a fake version of KeePass, which is actually KeeLoader. Users will download an installation file containing malware named: KeePass-2.56-Setup.exe.

      Fake KeePass site pushing trojanized installer

  2. Install malware

    • As soon as users download and install KeeLoader, this malware drops two modified executable files (KeePass.exe and ShInstUtil.exe) into the %localappdata% directory. Here, hackers create a startup mechanism, meaning an autorun key in the registry is created, allowing ShInstUtil.exe to automatically run at system startup to maintain connections.

    • Then, the malware continues to load and execute a malicious file (db.idx) disguised as a JPG file to avoid detection by AV software and users, but it actually contains RC4 encrypted shellcode.

  3. Steal credentials

    • KeeLoader is noted to have a C# code segment that performs extraction and writing of information from the KeePass database.

      Dumping KeePass credentials

    • First, the data will be written to MemoryStream.

    • Then, a code segment is responsible for accessing all password entries in KeePass by traversing the group tree from the root. Each entry is processed by entryHandler (a delegate), which may have been programmed to write out user information.

    • The collected data will be written to a file in the AppData\Local directory with a random name (for example, 123.kp).

    • Finally, after the information is collected, it will be sent out and receive commands from the hacker: deploy Cobalt Strike, continue exploitation, etc. Additionally, the hacker will steal passwords from KeePass to facilitate deeper infiltration and deploy ransomware to pave the way for targeted attacks on ESXi server systems.

Conclusion

This campaign provides a clear example of exploiting a trojanized legitimate tool to achieve dangerous post-exploitation goals. With its sophisticated disguise and step-by-step process, organizations need to enhance their detection capabilities—especially with widely used open-source software.

Recommendations

  1. Software Control and Integrity

    • Compare the SHA256 hash with the official version from https://keepass.info/integrity.html. Do not use versions from untrusted sources.

    • Only download software from the official website or repositories with clear digital signatures.

  2. Behavior and System Log Monitoring

    • Monitor .kp, .idx, .exe files appearing in AppData\Local\ or Temp\

    • Track KeePass.exe calling ShInstUtil.exe with the --update argument

  3. Enhance Endpoint Defense (EDR / AV)

    • Set up policies to detect:

      • Unusual executable files from AppData

      • RC4 decryption activity

      • Process injection

    • Block suspicious domains/IPs such as: cloudbackup[.]pw, update-checker[.]win, beacons to port 80/443 with unusual SNI

IOC

  1. Domain

    • keeppaswrd[.]com

    • keegass[.]com

    • KeePass[.]me

    • cloudbackup[.]pw

    • update-checker[.]win

  2. IP

    • 45.145.67.54

    • 185.212.200.113

    • 89.45.13.97

  3. Hash

    • 8b386b89e614d3084c1da3c28e324fb2

    • 5e7ef2ab3c216be9a73efac7c36e7efc0dd7a9b2a5b5dff9b3b937e2cb3e9c9c

    • f43b889d2e0b2b9d5822d8492a1a9e1ac22f52c2cf26a23607f3a6677d7bc451

References

  1. Fake KeePass password manager leads to ESXi ransomware attack

  2. Trojanized KeePass Used to Deploy Cobalt Strike and Steal Credentials

0
Subscribe to my newsletter

Read articles from Lưu Tuấn Anh directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Lưu Tuấn Anh
Lưu Tuấn Anh