Ofufuza ochokera ku Malwarebytes Labs azindikira kukwezedwa kwa tsamba labodza la manejala achinsinsi a KeePass, omwe amagawa pulogalamu yaumbanda, kudzera pa intaneti yotsatsa ya Google. Chodabwitsa cha chiwonongekocho chinali kugwiritsidwa ntchito ndi omwe adawononga "ķeepass.info" domain, yomwe poyang'ana poyamba sichidziwika bwino m'malembedwe kuchokera kumalo ovomerezeka a "keepass.info". Pofufuza mawu oti "keepass" pa Google, kutsatsa kwatsamba labodza kudayikidwa pamalo oyamba, ulalo usanachitike patsamba lovomerezeka.
Kuti anyenge ogwiritsa ntchito, njira yodziwika bwino ya phishing idagwiritsidwa ntchito, kutengera kulembetsa madera apadziko lonse lapansi (IDN) okhala ndi ma homoglyphs - zilembo zomwe zimawoneka ngati zilembo zachilatini, koma zili ndi tanthauzo losiyana komanso zimakhala ndi ma code awoawo. Makamaka, malo otchedwa "ķeepass.info" amalembedwa kuti "xn--eepass-vbb.info" mu punycode notation ndipo ngati muyang'anitsitsa dzina lomwe likuwonetsedwa mu bar address, mukhoza kuona kadontho pansi pa chilembo " ķ", zomwe zimadziwika ndi ogwiritsa ntchito ambiri ngati kachidutswa pawindo. Kunyengerera kwa kutsimikizika kwa malo otseguka kudakulitsidwa ndikuti malo abodza adatsegulidwa kudzera pa HTTPS ndi satifiketi yolondola ya TLS yomwe idalandilidwa kumayiko ena.
Kuti aletse nkhanza, olembetsa salola kulembetsa madera a IDN omwe amasakaniza zilembo za zilembo zosiyanasiyana. Mwachitsanzo, dummy domain apple.com (“xn--pple-43d.com”) singapangidwe pochotsa liwu lachilatini “a” (U+0061) ndi Cyrillic “a” (U+0430). Kusakaniza zilembo za Chilatini ndi Unicode mu dzina lachilatini ndikoletsedwanso, koma palinso kuletsa izi, zomwe ndizomwe owukira amapezerapo mwayi - kusakanikirana ndi zilembo za Unicode zomwe zili m'gulu la zilembo za Chilatini zomwe zili mu zilembo zomwezo ndizololedwa. domain. Mwachitsanzo, chilembo "ķ" chomwe chikugwiritsidwa ntchito pakuwukira komwe chikuganiziridwa ndi gawo la zilembo za Chilatvia ndipo ndizovomerezeka kumadera a chilankhulo cha Chilatvia.
Kuti mudutse zosefera za netiweki yotsatsa ya Google ndikusefa mabotolo omwe amatha kuzindikira pulogalamu yaumbanda, tsamba lapakati la interlayer keepassstacking.site lidatchulidwa ngati ulalo waukulu pazotsatsa zotsatsa, zomwe zimalozeranso ogwiritsa ntchito omwe amakwaniritsa njira zina kudera la dummy "ķeepass .zidziwitso".
Mapangidwe a tsamba la dummy adasinthidwa kuti afanane ndi tsamba lovomerezeka la KeePass, koma adasinthidwa ndikutsitsa mwamphamvu kwambiri (kuzindikirika ndi mawonekedwe a tsamba lovomerezeka zidasungidwa). Tsamba lotsitsa la nsanja ya Windows lidapereka choyikira cha msix chokhala ndi code yoyipa yomwe idabwera ndi siginecha yovomerezeka ya digito. Ngati fayilo yomwe idatsitsidwa idatsitsidwa pamakina a wogwiritsa ntchito, script ya FakeBat idayambitsidwanso, kutsitsa zida zoyipa kuchokera pa seva yakunja kuti iwononge dongosolo la wogwiritsa ntchito (mwachitsanzo, kubisa zinsinsi, kulumikizana ndi botnet, kapena kusintha manambala a chikwama cha crypto mu pa clipboard).
Source: opennet.ru