Researchers from Malwarebytes Labs have identified the promotion of a fake website for the free password manager KeePass, which distributes malware, through the Google advertising network. A peculiarity of the attack was the use by the attackers of the “ķeepass.info” domain, which at first glance is indistinguishable in spelling from the official domain of the “keepass.info” project. When searching for the keyword “keepass” on Google, the advertisement for the fake site was placed in first place, before the link to the official site.
To deceive users, a long-known phishing technique was used, based on the registration of internationalized domains (IDN) containing homoglyphs - characters that look similar to Latin letters, but have a different meaning and have their own unicode code. In particular, the domain “ķeepass.info” is actually registered as “xn--eepass-vbb.info” in punycode notation and if you look closely at the name shown in the address bar, you can see a dot under the letter “ķ”, which is perceived by the majority users are like a speck on the screen. The illusion of the authenticity of the open site was enhanced by the fact that the fake site was opened via HTTPS with a correct TLS certificate obtained for an internationalized domain.
To block abuse, registrars do not allow the registration of IDN domains that mix characters from different alphabets. For example, a dummy domain apple.com (“xn--pple-43d.com”) cannot be created by replacing the Latin “a” (U+0061) with the Cyrillic “a” (U+0430). Mixing Latin and Unicode characters in a domain name is also blocked, but there is an exception to this restriction, which is what attackers take advantage of - mixing with Unicode characters belonging to a group of Latin characters belonging to the same alphabet is allowed in the domain. For example, the letter “ķ” used in the attack under consideration is part of the Latvian alphabet and is acceptable for domains in the Latvian language.
To bypass the filters of the Google advertising network and to filter out bots that can detect malware, an intermediate interlayer site keepassstacking.site was specified as the main link in the advertising block, which redirects users who meet certain criteria to the dummy domain “ķeepass.info”.
The design of the dummy site was stylized to resemble the official KeePass website, but changed to more aggressively push program downloads (the recognition and style of the official website were preserved). The download page for the Windows platform offered an msix installer containing malicious code that came with a valid digital signature. If the downloaded file was executed on the user’s system, a FakeBat script was additionally launched, downloading malicious components from an external server to attack the user’s system (for example, to intercept confidential data, connect to a botnet, or replace crypto wallet numbers in the clipboard).
Source: opennet.ru