A Google Ads campaign was found pushing a fake KeePass download site that used Punycode to appear as the official domain of the KeePass password manager to distribute malware. Google has been battling with ongoing malvertising campaigns that allow threat actors to take out sponsored ads that appear above search results. Even worse, Google Ads can be abused to show the legitimate domain for Keepass in the advertisements, making the threat hard to spot even for more diligent and security-conscious users. Those who click on the malicious link will pass through a series of system-profiling redirections that filter out bot traffic and sandboxes to arrive at the fake KeePass website using a Punycode URL, https://xn-eepass-vbb[. Malwarebytes, which discovered this campaign, notes that the abuse of Punycode for cybercrime isn't novel. Its combination with Google Ads abuse can signify a new dangerous trend in the field. Punycode is an encoding method used to represent Unicode characters, helping convert hostnames in non-Latin scripts to ASCII to make them understandable to the DNS. For example, "München" would be converted to "Mnchen-3ya," "α" would become "Mxa," "??????" would be "80aafi6cg," and "???" would become "Hq1bm8jm9l." Threat actors abuse Punycode to register domain names that appear similar to legitimate sites but with one character using unicode, to look slightly different. These types of attacks are called "Homograph attacks." In the one spotted by Malwarebytes, the threat actors use the Punycode "Xn-eepass-vbb.info" which converts to "?eepass. Those clicking on any download links embedded on the fake site receive a digitally-signed MSI installer called 'KeePass-2.55-Setup. Msix' that includes a PowerShell script associated with the FakeBat malware loader. While Google has removed the original Punycode advertisement seen by Malwarebytes, BleepingComputer found additional ongoing KeePass ads in the same malware campaign. Like the Punycode domain, this site pushes the same MSIX file that includes the same FakeBat PowerShell script to download and install malware on the Windows device. In BleepingComputer's tests, when executed, the FakeBat PowerShell script will download a GPG-encrypted RAR archive, decrypt it, and extract it to the %AppData% folder. An Intel471 report from early 2023 explained that FakeBat is a malware loader/dropper associated with malvertizing campaigns since at least November 2022. The final malware payload delivered in the campaign seen by Malwarebytes isn't determined, but a Sophos report from July 2023 links FakeBat with infostealers like Redline, Ursniff, and Rhadamathys. BleepingComputer has found other popular software impersonated in this malware campaign, including WinSCP and PyCharm Professional. Malicious Notepad++ Google ads evade detection for months. Fake Cisco Webex Google Ads abuse tracking templates to push malware. Bing Chat responses infiltrated by ads pushing malware.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000