Fake KeePass site uses Google Ads and Punycode to push malware

Fake KeePass site uses Google Ads and Punycode to push malware

October 19, 2023 at 02:18PM

A Google Ads campaign has been discovered promoting a fake KeePass download site that distributes malware. Threat actors are using Punycode to make the domain appear official, posing a challenge for security-conscious users. The Punycode domain is visually similar to the legitimate KeePass domain but with a slight difference. The fake site delivers a PowerShell script associated with the FakeBat malware loader. Similar campaigns targeting software such as WinSCP and PyCharm Professional have also been identified.

Key takeaways from the meeting notes are:

1. A Google Ads campaign was discovered pushing a fake KeePass download site, using Punycode to appear as the legitimate domain of KeePass.
2. Malwarebytes uncovered this abuse of Punycode and Google Ads, potentially indicating a new dangerous trend in cybercrime.
3. Threat actors utilize Punycode to create domain names that look similar to legitimate sites but with slight differences.
4. This type of attack is known as a “homograph attack,” and in this case, the Punycode “xn—eepass-vbb.info” appears as “ķeepass.info” with a minor intonation difference.
5. Clicking on the fake site’s download links leads to a digitally-signed MSI installer named ‘KeePass-2.55-Setup.msix’ containing a FakeBat PowerShell script associated with malware.
6. Google has removed the original Punycode advertisement; however, BleepingComputer discovered ongoing KeePass ads in the same malware campaign.
7. Another fake KeePass site, keeqass[.]info, was identified in the campaign, pushing the same malware-laden MSIX file.
8. The FakeBat PowerShell script downloads a GPG-encrypted RAR archive, decrypts it, and extracts it to the %AppData% folder.
9. The final malware payload delivered in the campaign has not been determined, but FakeBat is associated with infostealers such as Redline, Ursniff, and Rhadamathys.
10. Other popular software, such as WinSCP and PyCharm Professional, has also been impersonated in this malware campaign.

Please let me know if you need any further information or if there are any specific actions to be taken regarding these findings.

Full Article