Beware – this fake KeePass download site is just spreading malware
Hackers are getting creative with malicious Google Ads campaigns, with a new scam spotted by cybersecurity researchers Malwarebytes, meaning even more eagle-eyed visitors could fall prey and end up accidentally installing malware.
Hackers have been spotted spreading malware by impersonating the KeePass password manager, initially by creating a website that looks almost identical to the real KeePass offering, and offering a program for download that looks and feels as the genuine article.
However, in this case, the program would also come with the PowerShell script associated with the FakeBat malware loader, effectively compromising the endpoint.
Punycode
But that’s only half the battle. The other half means that people visit the site. To do that, the crooks create malicious Google ads. Typically, they would compromise an active Google Ads account (or buy one on the black market) and use it to set up a new campaign. When setting up this campaign, they used Punycode to hide the malicious website’s URL and make it look real.
Punycode is an encryption standard built for internationalized domain names. In other words, it allows people to represent words in ASCII that cannot be written in ASCII, thus introducing non-Latin scripts (Cyrillic or Chinese) into the Domain Name System (DNS).
With Punycode, the real URL of the website – “xn—eepass-vbb.info” would be displayed as “ķeepass.info”. You may not have noticed it, but there’s a little dot under the letter k. And so, the threat actors make people visit a fake site, thinking it is real.
Malwarebytes informed Google of the trick and the search engine giant removed the malicious campaign. However, there are other similar campaigns that are still active, and likely many more that cybersecurity researchers are not aware of. It is very important that users are very careful when visiting sites via the search engine and always check the address in the URL bar.
Through BleepingComputer