If you use the open-source password manager Keepass, you might want to be extra careful when searching for it on Google. A clever malvertising attack uses Google ads and a look-alike domain to trick users into downloading a fake version of the software that can steal their passwords and other sensitive data.
The attack was discovered by Malwarebytes, a cybersecurity company that specializes in detecting and removing malware. According to their blog post, the malicious ad appears when users search for ‘keepass’ on Google and leads them to a site that looks like the official Keepass website, but is actually a punycode-encoded domain that hosts malware.
Punycode is a way of representing Unicode characters using ASCII characters, which can be used to create domains that look similar to legitimate ones. For example, the fake Keepass site uses the domain xn--kpass-9of[.]com, which is displayed as këepass[.]com in the browser. The attackers use a valid TLS certificate and the official Keepass logo to make the site look legitimate.
The fake site offers users to download the latest version of Keepass, but instead delivers a malware that is detected as FakeBat by Malwarebytes. The malware is not particularly sophisticated, but it does have some interesting features such as anti-analysis and anti-debugging techniques, as well as the ability to communicate with a command and control server.
The malware can steal passwords and other sensitive data from the victims, such as browser history, cookies, bookmarks, autofill data, and credit card information. It can also monitor the clipboard and capture screenshots. The malware can also download and execute additional payloads from the server.
Malwarebytes reported this incident to Google’s Safe Browsing team who promptly removed the malicious ad from their network. However, the fake site is still active and may use other methods to lure unsuspecting users.
This attack is similar to previous campaigns that targeted other popular software such as 7-Zip, Audacity, and VLC Player. Users should always be careful when downloading software from the Internet, even if it appears to come from a trusted source. It is advisable to check the domain name carefully and use official sources or reputable download sites. Users should also use antivirus software and keep it updated regularly.
Relevant articles:
– Google-hosted malvertising leads to fake Keepass site that looks genuine, by Dan Goodin, published on October 18, 2023
– Clever malvertising attack uses Punycode to look like KeePass’s official website, by Jérôme Segura, published on October 18, 2023
– Google-Hosted Malvertising Results In Genuine-Looking Fake Keepass Site, by Inside Express, published on October 19, 2023