{"id":23174,"date":"2023-10-19T11:10:50","date_gmt":"2023-10-19T19:10:50","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/10\/19\/news-16904\/"},"modified":"2023-10-19T11:10:50","modified_gmt":"2023-10-19T19:10:50","slug":"news-16904","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/10\/19\/news-16904\/","title":{"rendered":"Clever malvertising attack uses Punycode to look like KeePass’s official website"},"content":{"rendered":"

Threat actors are known for impersonating popular brands in order to trick users. In a recent malvertising campaign, we observed a malicious Google ad for KeePass, the open-source password manager which was extremely deceiving. We previously reported<\/a> on how brand impersonations are a common occurrence these days due to a feature known as tracking templates, but this attack used an additional layer of deception.<\/p>\n

The malicious actors registered a copycat internationalized domain name that uses Punycode, a special character encoding, to masquerade as the real KeePass site. The difference between the two sites is visually so subtle it will undoubtably fool many people.<\/p>\n

We have reported this incident to Google but would like to warn users that the ad is still currently running.<\/p>\n

Malicious ad for KeePass<\/h2>\n

The malicious advert shows up when you perform a Google search for ‘keepass’, the popular open-source password manager. The ad is extremely deceiving as it features the official Keepass logo, URL and is featured before the organic search result for the legitimate website.<\/p>\n

By simply looking at the ad, you would have no idea that it is malicious. <\/p>\n

\"\"<\/p>\n

Figure 1: Malicious ad for KeePass followed by legitimate organic search result<\/em><\/p>\n

People who click on the ad will be redirected via a cloaking service that is meant to filter sandboxes, bots and anyone not deemed to be a genuine victim. The threat actors have set up a temporary domain at keepasstacking[.]site that performs the conditional redirect to the final destion:<\/p>\n

\"\"<\/p>\n

Figure 2: Network traffic showing the sequence of redirects upon clicking the ad<\/em><\/p>\n

\u0137eepass.info<\/h2>\n

Looking at the network traffic log above, we can see that the destination site uses Punycode, a special encoding to convert Unicode characters to ASCII. The deception is complete for users who may want to verify that they are on the right website.<\/p>\n

\"\"<\/p>\n

Figure 3: The fake KeePass site with a barely noticeable different font<\/em><\/p>\n

While it is barely noticeable, there is a small character under the ‘k’. We can confirm it by converting<\/a> the internationalized domain name xn--eepass-vbb[.]info<\/em> to \u0137eepass[.]info<\/em>:<\/p>\n

\"\"<\/p>\n

Figure 4: Converting Punycode to ASCII<\/em><\/p>\n

Decoy site links to malicious download<\/h2>\n

While the decoy site is not an exact replica of the real one, it still looks very convincing:<\/p>\n

\"\"<\/p>\n

Figure 5: Comparing the legitimate site (left) with the fake one (right)<\/em><\/p>\n

Victims wanting to download KeePass will retrieve a malicious .msix installer that is digitally signed:<\/p>\n

\"\"<\/p>\n

Figure 6: The malicious MSIX installer showing a valid digital signature<\/em><\/p>\n

Extracting the installer’s content reveals malicious PowerShell code that belongs to the FakeBat malware family:<\/p>\n

\"\"<\/p>\n

Figure 7: The contents of the MSIX installer<\/em><\/p>\n

This script communicates with the malware’s command and control server to advertise the new victim before downloading a payload that sets the stage for future recon by human threat actors.<\/p>\n

\"\"<\/p>\n

Figure 8: Process view showing execution of the MSIX installer<\/em><\/p>\n

A more sophisticated threat<\/h2>\n

While Punycode with internationalized domain names has been used for years by threat actors to phish victims, it shows how effective it remains in the context of brand impersonation via malvertising. Users are first deceived via the Google ad that looks entirely legitimate and then again via a lookalike domain.<\/p>\n

As we have noted recently<\/a>, malvertising via search engines is getting more sophisticated. For end users this means that it has become very important to pay close attention where you download programs from and where you should avoid them. In a business environment, we recommend IT admins provide internal repositories where employees can retrieve software installers safely.<\/p>\n

Indicators of Compromise<\/h2>\n

Ad domain\/redirect<\/p>\n

keepasstacking[.]site<\/pre>\n
Fake KeePass site<\/p>\n
xn--eepass-vbb[.]info<\/pre>\n
Malicious KeePass download URL<\/p>\n
xn--eepass-vbb[.]info\/download\/KeePass-2.55-Setup.msix<\/pre>\n
Malicious KeePass installer<\/p>\n
181626fdcff9e8c63bb6e4c601cf7c71e47ae5836632db49f1df827519b01aaa<\/pre>\n
Malware C2<\/p>\n
756-ads-info[.]xyz<\/pre>\n
Payload<\/p>\n
refreshmet[.]com\/Package.tar.gpg<\/pre>\n
\n
Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.<\/p>\n
TRY NOW<\/a><\/p>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"\n\n
\n
Categories: Threat Intelligence<\/a><\/p>\n
Tags: malvertising<\/p>\n
Tags: keepass<\/p>\n
Tags: punycode<\/p>\n
Tags: malware<\/p>\n
Tags: ads<\/p>\n
Tags: google<\/p>\n
Threat actors are doubling down on brand impersonation by using lookalike domain names.<\/p>\n\n\n
\n
(Read more…<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n
The post Clever malvertising attack uses Punycode to look like KeePass’s official website<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[11533,1670,19011,10531,3764,16824,12040],"class_list":["post-23174","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-ads","tag-google","tag-keepass","tag-malvertising","tag-malware","tag-punycode","tag-threat-intelligence"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23174","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=23174"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23174\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=23174"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=23174"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=23174"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}