Keeloader –A Trojanised Keepass

Published Date: May 20, 2025
Category: ShadowOpsIntel
Share:

In early 2025, threat actors deployed a trojanised KeePass installer to distribute Cobalt Strike and steal credentials. Named KeeLoader, the modified binary was signed with valid certificates and spread via malvertising and typo-squatted domains. This marks the first known case of KeePass source code being weaponised, combining infostealing and post-exploitation capabilities in a trusted package. The campaign remained undetected for months, leveraging stealthy execution and encrypted payloads. WithSecure links the infrastructure to a prolific Initial Access Broker, possibly affiliated with Black Basta ransomware operations.

Severity Level: High

THREAT OVERVIEW:

  1. Unattributed Actor: Likely a prolific Initial Access Broker (IAB).
  2. Affiliations: Overlaps with TTPs of Black Basta and BlackCat ransomware.
  3. Possible Links: Traces point to UNC4696 and infrastructure consistent with Ransomware-as-a-Service (RaaS).
  4. Capabilities: Advanced usage of signed binaries, Cobalt Strike beacons, malvertising infrastructure.
  5. Target regions: Global.
  6. Affected Sectors: IT Service Providers, Mid-market enterprises, financial institutions, Cryptocurrency platforms.

ATTACK FLOW:

  1. Initial Access Vector:
    • Malvertising on platforms like Bing and DuckDuckGo directed users to lookalike KeePass domains (e.g., keeppaswrd[.]com).
    • Users downloaded a trojanised KeePass installer: KeePass-2.56-Setup.exe, which appeared legitimate.
  2. Malware Functionality (KeeLoader):
    • Modified KeePass binary acts as both password manager and infostealer.
    • Drops a file (db.idx) disguised as a .JPG image, containing RC4-encrypted Cobalt Strike shellcode.
    • Executes ShInstUtil.exe with the –update parameter to decrypt and load the shellcode in memory.
  3. Credential Theft:
    • When users open KeePass and load a database, the malware dumps credentials (account, username, password, comments) into .kp files stored in %localappdata%.
    • These files can then be accessed and exfiltrated via the established Cobalt Strike beacon.
  4. Infrastructure & Distribution:
    • Domains like KeePass-info[.]aenys[.]com, lvshilc[.]com, and arch-online[.]com were used.
    • Multiple certificate issuers were abused (e.g., S.R.L. INT-MCOM, Shenzhen Kantianxia Network Technology Co., Ltd.) to sign binaries and increase legitimacy.
    • Typosquatting was employed to confuse users into downloading malware.
  5. Evasion Techniques:
    • Use of valid code signing certificates.
    • Encrypted shellcode in non-suspicious formats.
    • Malicious functionality only activates after database access, bypassing sandbox detection.
  6. Payload & Post-Exploitation:
    • Once active, the malware establishes C2 connections over HTTPS to arch-online[.]com and aicmas[.]com.
    • Cobalt Strike is used for lateral movement (via RDP, SMB, SSH).
    • In later stages, ransomware is deployed—although the binary was not recovered, the ransom note matched Akira templates with slight differences.

Recommendations:

  1. Block installation of software not sourced from authorized repositories. Prevent users from downloading installers via search engines.
  2. Use tools like Microsoft AppLocker or macOS Gatekeeper to allow only trusted, signed software.
  3. Validate KeePass binaries against known-good SHA256 hashes and digital certificate thumbprints.
  4. Alert on unusual .kp files in %localappdata%, e.g., ###.kp or ###.keps, especially if KeePass is not sanctioned.
  5. Monitor Run keys that auto-launch ShInstUtil.exe with suspicious parameters like –update.
  6. Ensure password managers and associated software are patched from official sources only.
  7. Enforce policies that prevent execution of binaries signed by untrusted or revoked certificates.
  8. Educate users on the dangers of malvertising and how to avoid downloading software from search engine ads.
  9. Block the IOCs at their respective controls.
    https://www.virustotal.com/gui/collection/07b05618ce206ea8579e1ec0524649fde8710f462fb3982c458864e01d393e64/iocs

Source:

  • https://labs.withsecure.com/publications/keepass-trojanised-in-advanced-malware-campaign

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.