malware

A Google Ads campaign was found pushing a fake KeePass download site that used Punycode to appear as the official domain of the KeePass password manager to distribute malware.

Google has been battling with ongoing malvertising campaigns that allow threat actors to take out sponsored ads that appear above search results.

Even worse, Google Ads can be abused to show the legitimate domain for Keepass in the advertisements (https://www.keepass.info), making the threat hard to spot even for more diligent and security-conscious users.

The malicious Google Search result
The malicious Google Search result
Source: Malwarebytes

Those who click on the malicious link will pass through a series of system-profiling redirections that filter out bot traffic and sandboxes to arrive at the fake KeePass website using a Punycode URL, https://xn--eepass-vbb[.]info/, as shown below.

Redirects users go through when clicking the malicious result
Redirects users go through when clicking the malicious result
Source: Malwarebytes

Malwarebytes, which discovered this campaign, notes that the abuse of Punycode for cybercrime isn’t novel. However, its combination with Google Ads abuse can signify a new dangerous trend in the field.

Punycode trick

Punycode is an encoding method used to represent Unicode characters, helping convert hostnames in non-Latin scripts (Cyrillic, Arabic, Greek, Chinese, etc.) to ASCII to make them understandable to the DNS (Domain Name System).

For example, “München” would be converted to “Mnchen-3ya,” “α” would become “mxa,” “правда” would be “80aafi6cg,” and “도메인” would become “hq1bm8jm9l.”

Threat actors abuse Punycode to register domain names that appear similar to legitimate sites but with one character using unicode, to look slightly different.

These types of attacks are called “homograph attacks.” In the one spotted by Malwarebytes, the threat actors use the Punycode “xn—eepass-vbb.info” which converts to “ķeepass.info,” the project’s genuine domain, but with a minor intonation underneath the character “ķ.”

Punycode used in the campaign
Punycode used in the campaign
Source: Malwarebytes

This tiny visual glitch is unlikely to be perceived by most users visiting the decoy site but is a giveaway of the technique used in this case.

Real (left) and fake (right) sites
Real (left) and fake (right) sites
Source: Malwarebytes

Those clicking on any download links embedded on the fake site receive a digitally-signed MSI installer called ‘KeePass-2.55-Setup.msix’ that includes a PowerShell script associated with the FakeBat malware loader.

PowerShell script in fake KeePass installer
PowerShell script in fake KeePass installer
Source: BleepingComputer

While Google has removed the original Punycode advertisement seen by Malwarebytes, BleepingComputer found additional ongoing KeePass ads in the same malware campaign.

This advertisement, though, leads to a domain called keeqass[.]info, as shown in the image below.

Ongoing Google ads lead to another fake KeePass site
Ongoing Google ads lead to another fake KeePass site
Source: BleepingComputer

Like the Punycode domain, this site pushes the same MSIX file that includes the same FakeBat PowerShell script to download and install malware on the Windows device.

In BleepingComputer’s tests, when executed, the FakeBat PowerShell script will download a GPG-encrypted RAR archive, decrypt it, and extract it to the %AppData% folder.

In the file analyzed by BleepingComputer, the script will launch a file named ‘mergecap.exe’ from the archive.

An Intel471 report from early 2023 explained that FakeBat is a malware loader/dropper associated with malvertizing campaigns since at least November 2022.

The final malware payload delivered in the campaign seen by Malwarebytes isn’t determined, but a Sophos report from July 2023 links FakeBat with infostealers like Redline, Ursniff, and Rhadamathys.

BleepingComputer has found other popular software impersonated in this malware campaign, including WinSCP and PyCharm Professional.

Source link