A sophisticated, long-running campaign leveraging trojanized KeePass installers to deploy Cobalt Strike beacons, steal credentials, and execute ransomware has been linked to Black Basta and BlackCat/ALPHV ransomware affiliates. The campaign, active for 8+ months, exploits malvertising, code-signing abuse, and open-source software trust to breach networks.
Key Campaign Updates
- Malware Evolution:
- KeeLoader (trojanized KeePass) now includes five distinct variants (July 2024–February 2025) with iterative improvements:
- Direct credential exfiltration → Local credential storage → Cobalt Strike integration.
- Signed with legitimate/revoked certificates from entities like S.R.L. INT-MCOM and Shenzhen Kantianxia Network Technology Co..
- Defense evasion: Code obfuscation (e.g., typos like `Todway` for `ToArray`), encrypted payloads (RC4), and sandbox-aware execution (triggers only after KeePass database access).
- Infrastructure Expansion:
- Malvertising Domains:
- `aenys[.]com` hosts subdomains impersonating WinSCP, Sallie Mae, Phantom Wallet, and cryptocurrency platforms.
- Redirects via typosquatting domains (e.g., `keeppaswrd[.]com`, `keegass[.]com`).
- Cobalt Strike C2:
- `arch-online[.]com`, `alcmas[.]com` (watermark 1357776117), and `1ba8d063-0[.]1b-cdn[.]net` (watermark 678358251).
- Attribution Insights:
- Moderate Confidence: Activity overlaps with UNC4696, a threat actor linked to Nitrogen Loader campaigns (historically tied to BlackCat/ALPHV).
- Black Basta Connections: Cobalt Strike watermark 1357776117 is uniquely tied to Black Basta IABs.
- Ransom Note Anomaly: Spoofs Akira ransomware but uses a Session ID matching a KeeLoader SHA256 hash, suggesting hybrid tactics.
MITRE ATT&CK TTP Mapping
| Tactic | Technique | ID | Example |
|---|
| Initial Access | Drive-by Compromise via Malvertising | T1189 | Bing/DuckDuckGo ads redirecting to `keeppaswrd[.]com`. |
| Execution | User Execution of Trojanized KeePass Installer | T1204.002 | Victims run `KeePass-2.56-Setup.exe`, believing it legitimate. |
| Persistence | Registry Run Keys (`HKCU\...\Run\Keepass`) | T1547.001 | Auto-launches malicious `ShInstUtil.exe`. |
Critical Indicators of Compromise (IoCs)
Domains:
- `aenys[.]com` (malvertising hub), `keeppaswrd[.]com`, `lvshilc[.]com`, `arch-online[.]com`, `alcmas[.]com`.
- Subdomains: `salliemae-com-login[.]aenys[.]com`, `winscp-net-download[.]aenys[.]com`.
Files:
- KeePass Installers:
- `KeePass-2.56-Setup.exe` (SHA256: `0000cf6a3c7f7eebc0edc3d1e42e45debb675e57d6fc1fd96995269db1b44b3`).
- `KeePass-2.57-Setup.exe` (SHA256: `0e5199b978ae9816b04d093776b6699b660f502445d5850e88726c05e933e7d8`).
- Cobalt Strike Payloads:
- `db.idx` (masquerades as JPG; RC4-encrypted with `--update` key).
Certificates:
- Thumbprints: `467c6c43e6fbbl7fcaefb46fc41a6b2b829e0efa`, `2CF75DAE1A87CA7962CAF67E7310420BBBC30588`.
- Signers: S.R.L. INT-MCOM, Shenzhen Kantianxia Network Technology Co., Ltd.
Mitigation & Detection Strategies
- Block Malicious Infrastructure:
- Add IoC domains (e.g., `aenys[.]com`, `keeppaswrd[.]com`) to network blocklists.
- Monitor for connections to C2 IPs: `89.35.237[.]180`, `1ba8d063-0[.]1b-cdn[.]net`.
- Hunt for Artifacts:
- Detect `.kp`/`.ks` files in `%localappdata%` with randomized filenames (e.g., `437.kp`).
- Flag processes spawning `ShInstUtil.exe` with `--update` arguments.
- Verify Software Integrity:
- Download KeePass only from keepass.info (SourceForge).
- Validate checksums and certificates against known-good versions.
- Ransomware Preparedness:
- Isolate ESXi servers and enforce MFA for administrative access.
- Regularly audit backup systems (e.g., Veeam) for tampering.
Implications & Attribution
- Evolving Tradecraft: Threat actors now modify open-source codebases (KeePass) rather than sideloading malware, increasing stealth.
- Ransomware-as-a-Service (RaaS): Links to Black Basta and Nitrogen Loader highlight a converging criminal ecosystem where IABs and affiliates share infrastructure/tools.
- Adversary Resilience: Despite Black Basta’s decline, affiliated IABs continue operations, underscoring the need to target root infrastructure (malvertising domains, bulletproof hosting).