Watch out! Fake KeePass dropped Ransomware

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

Watch out! Fake KeePass dropped Ransomware

General Information:

Threat Intelligence Team of WithSecure, the cyber security provider, has released an analysis result of the tool used in ransomware attacks. The researcher found a post-exploitation malware dropped by trojanised malware loader that exfiltrate cleartext password manager databases.

Description:

For over 8 months, threat actors had released fake installers of KeePass, a password manager that not only manages passwords but has its source code modified to install the Cobalt Strike beacon as a backdoor and export account names, passwords, and websites in clear text (.csv), followed by dropping ransomware on victims' networks. This modified version is known as KeeLoader.

Since KeePass is an open source, threat actors can modify the program to become KeeLoader, a malware downloader and password stealer, and then advertise it on websites. The research team also found several websites that attempted to mimic the webpages and spellings of real websites (Domain Spoofing), to advertise fake programs that were modified from popular programs such as WinSCP, PumpFun, Phantom Wallet, Sallie Mae, Woodforest Bank, and DEX Screener. In addition, it not only looks like legit programs, but these fake programs are also recompiled with trusted certificates, which allow programs downloaded from untrusted sources to bypass security software on devices such as SmartScreen, Antivirus, and even EDR detections. Although this evasion can only last a short period, it is enough to steal data and cause immeasurable damage to organizations.

Recommendation:

Users should download and install software directly from the manufacturer or distributor's website and avoid downloading software from advertisement links. Even if the download links from advertisements show legitimate URLs, the advertisers can redirect the user to a fake website.

Name	HASH (SHA256)
KeePass Installers	0000cff6a3c7f7eebc0edc3d1e42e454ebb675e57d6fc1fd968952694b1b44b3
KeePass Installers	0e5199b978ae9816b04d093776b6699b660f502445d5850e88726c05e933e7d8
KeePass Installers	83a13d14e1cbc25e46be87472de1956ac91727553bb3f019997467b2bab2658f
KeePass Installers	2c510f9ae4472342faafb7f2a1f278160f3581ead8ccd5b7ba7951863dcba2f5
KeePass Installers	0fc4397d28395974bba2823a1d2437b33793127b8f5020d995109207a830761b
KeePass Executables	fa3eca4d53a1b7c4cfcd14f642ed5f8a8a864f56a8a47acbf5cf11a6c5d2afa2
KeePass Executables	f1c6d8e594f85cd2cb844a3e8a90509ea137a67d7ef3f1b68a7be17df6ccac74
KeePass Executables	128a68a714f2f6002f5e8e8cfe0bbae10cd2ffe63d30c8acc00255b9659ce121
KeePass Executables	9cb3de5d5cc804235bd12c00ed45ec9d6116cc2c7523986dddb4d8643d54f5e5
KeePass Executables	a5e643c6cda31e0c7691dab58febe2efce0e98c33b19fe495b74b885de134a22
KeePass Executables	b51dc9ca6f6029a799491bd9b8da18c9d9775116142cedabe958c8bcec96a0f0

Indicators of Compromise (IOCs)

Name	HASH (SHA256)
ShInstUtil Files	0f6cfb62ed2f118c776a049b93e5d3e7b226f74e7b466c1cfed3c449ed23a42b
ShInstUtil Files	42d391dd7bfa4ea348ec1cd2620ea6458b37682f2b303e4a266e3d11a689f8ab
ShInstUtil Files	3733b3be213ee4b959b70ff070b46e30b2785b14f1aecb74e0788dd00a1e1853
WinSCP	2dd75a7f9948d794e95539b9a9ccc6a1488fb64dbe099fea401a13f98166d6ae
TreeSize Free	5b48bbf2364f78812ea411ef41fb8b693a3965df13596b303e12f69908784d03
TreeSize Free	fa3eca4d53a1b7c4cfcd14f642ed5f8a8a864f56a8a47acbf5cf11a6c5d2afa2

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)

References:

Weekly Interesting CVE

NO.	CVE Name	Published Date	Last Update	Device/Appplication/OS Target	Attack Type	CVSS Severity Rating	Detail	Solution	Reference
1	CVE-2025-32002	15/5/2025	15/5/2025	hard disk 'HDL-T Series' firmware Ver.1.21 and earlier when 'Remote Link3 function' is enabled	Code Execution	9.3	Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier when 'Remote Link3 function' is enabled. If exploited, a remote unauthenticated attacker may execute an arbitrary OS command.	DisableRemote Link3 function or update firmware to 1.22 or lasted version	https://app.opencve.io/cve/CVE-2025-32002 https://jvn.jp/en/vu/JVNVU91726405/
2	CVE-2024-54780	14/5/2025	17/5/2025	Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus	Code Injection	8.8	Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds are vulnerable to command injection in the OpenVPN widget due to improper sanitization of user-supplied input to the OpenVPN management interface. An authenticated attacker can exploit this vulnerability by injecting arbitrary OpenVPN management commands via the remipp parameter.	Users can install or update the System Patches Package and apply the fixes for these issues using the recommended patches function	https://app.opencve.io/cve/CVE-2024-54780 https://www.netgate.com/blog/important-security-updates-for-pfsense-plus-24.11-and-ce-2.7.2 https://blog.brillantit.com/exploiting-pfsense-xss-command-injection-cloud-hijack/
3	CVE-2025-33103	17/5/2025	17/5/2025	IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 product	High privilege escalation	8.5	IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 product IBM TCP/IP Connectivity Utilities for i contains a privilege escalation vulnerability. A malicious actor with command line access to the host operating system can elevate privileges to gain root access to the host operating system.	IBM release patch for every product to lasted update	https://app.opencve.io/cve/CVE-2025-33103 https://www.ibm.com/support/pages/node/7233799
4	CVE-2023-43017	15/9/2023	15/5/2025	IBM Security Verify Access 10.0.0.0 through 10.0.6.1	Remote Code Execution	8.2	IBM Security Verify Access 10.0.0.0 through 10.0.6.1 could allow a privileged user to install a configuration file that could allow remote access. IBM X-Force ID: 266155.	If you are using version 10.0.0.0 – 10.0.6.1: You should check for patches or security advisories from IBM and update to the latest version.	https://app.opencve.io/cve/CVE-2023-43017
5	CVE-2025-1493	20/2/2025	16/5/2025	IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 12.1.0 through 12.1.1	Denial of Service - DoS	5.3	BM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 12.1.0 through 12.1.1 could allow an authenticated user to cause a denial of service due to concurrent execution of shared resources.	IBM has released a patch to address this vulnerability. Users are strongly advised to upgrade to Db2 12.1 Fix Pack 7 or later as soon as possible.	https://app.opencve.io/cve/CVE-2025-1493

Malware News or Campaign IOC/IOA | EN

No	Campaign Name	Detection Date	Attack Type	Description	Mitigation/Remediation
1	Ransomware gangs increasingly use Skitnet post-exploitation malware	16/05/2025	Ransomware, Command and Control (C2) Server	The increasing threat of ransomware attacks is being seen using a malware called Skitnet (Bossnet). According to Prodaft researchers, the malware was discovered in 2024, but has been increasingly used in 2025 and can be found on the “RAMP” platform. They also say that such incidents are often used after a successful phishing attack, with BlackBasta always used to launch a phishing attack against Microsoft Teams first. The Skitnet functionality calls a NIM payload to establish a connection to the C2 server and generates a random DNS, allowing a reverse shell to execute commands as desired by the attacker. It also includes AnyDesk for remote access to the victim machine, and uses system settings to screen capture machine data using PowerShell and send it to the C2 server Since RaaS (Ransomware as a Service) is expensive, attackers are interested in deploying malware in stages to reduce costs, which will lead to a spike in attacks in 2025.	Regularly update your operating system and software. Implement Antivirus Awareness training to be more aware of Email usage and Phishing mail. Set up a network policy on the Firewall system to strictly control the entry/exit of devices in the organization. Constantly monitor internal corporate network usage and analyze suspicious traffic.

Campaign Name

Detection Date

Attack

Type

Description

Mitigation/Remediation

Ransomware gangs increasingly use Skitnet post-exploitation malware

16/05/2025

Ransomware, Command and Control (C2) Server

The increasing threat of ransomware attacks is being seen using a malware called Skitnet (Bossnet). According to Prodaft researchers, the malware was discovered in 2024, but has been increasingly used in 2025 and can be found on the “RAMP” platform. They also say that such incidents are often used after a successful phishing attack, with BlackBasta always used to launch a phishing attack against Microsoft Teams first.

The Skitnet functionality calls a NIM payload to establish a connection to the C2 server and generates a random DNS, allowing a reverse shell to execute commands as desired by the attacker. It also includes AnyDesk for remote access to the victim machine, and uses system settings to screen capture machine data using PowerShell and send it to the C2 server

Since RaaS (Ransomware as a Service) is expensive, attackers are interested in deploying malware in stages to reduce costs, which will lead to a spike in attacks in 2025.

Regularly update your operating system and software.
Implement Antivirus
Awareness training to be more aware of Email usage and Phishing mail.
Set up a network policy on the Firewall system to strictly control the entry/exit of devices in the organization.
Constantly monitor internal corporate network usage and analyze suspicious traffic.

04 June 2025

Viewed 52 time

Watch out! Fake KeePass dropped Ransomware

Watch out! Fake KeePass dropped Ransomware

INET MANAGED SERVICES CO., LTD.

Sales Department