Vatsvagiri kubva kuMalwarebytes Labs vaona kukwidziridzwa kwewebhusaiti yenhema yemahara password maneja KeePass, iyo inogovera malware, kuburikidza neGoogle advertising network. Chinhu chakasarudzika chekurwiswa kwaive kushandiswa nevapambi ve "ķeepass.info" domain, iyo pakuona kwekutanga isinganzwisisiki mukuperetera kubva kune yepamutemo domain ye "keepass.info" chirongwa. Paunenge uchitsvaga izwi rakakosha rekuti "keepass" paGoogle, kushambadza kweiyo saiti yekunyepedzera kwakaiswa munzvimbo yekutanga, pamberi pekubatanidza kune yepamutemo saiti.
Kunyengedza vashandisi, nzira inozivikanwa kwenguva refu ye phishing yakashandiswa, zvichibva pakunyoreswa kwenzvimbo dzepasi rose (IDN) dzine homoglyphs - mavara anotaridzika akafanana nemavara echiLatin, asi ane chirevo chakasiyana uye ane kodhi yavo yeunicode. Kunyanya, iyo domain "ķeepass.info" yakanyatso kunyoreswa se "xn--eepass-vbb.info" mune punycode notation uye kana ukanyatsotarisisa zita rinoratidzwa mukero bar, unogona kuona dot pasi petsamba " ķ”, iyo inonzwisiswa nevazhinji vashandisi yakafanana nekatsopa pachiratidziri. Kunyepedzera kwechokwadi kwesaiti yakavhurika kwakasimudzirwa nenyaya yekuti saiti yenhema yakavhurwa kuburikidza neHTTPS ine chaiyo TLS chitupa chakawanikwa chedunhu renyika.
Kuvhara kushungurudzwa, vanyori havabvumire kunyoreswa kweIDN domains inosanganisa mavara kubva kune akasiyana alphabets. Semuenzaniso, dummy domain apple.com (“xn--pple-43d.com”) haigone kugadzirwa nekutsiva rechiLatin “a” (U+0061) neCyrillic “a” (U+0430). Kusanganisa mavara echiLatin neUnicode muzita rezita kwakavharwa zvakare, asi pane chinosiyana pane ichi chirambidzo, chinova chinotorwa nevanorwisa - kusanganisa neiyo Unicode mavara eboka remavara echiLatin ane arufabheti imwechete inotenderwa mu domain. Semuenzaniso, tsamba "ķ" yakashandiswa mukurwiswa kuri kutariswa chikamu chemavara echiLatvian uye inogamuchirwa kune domains mumutauro weLatvia.
Kupfuura mafirita eiyo Google advertising network uye kusefa kunze bots inogona kuona malware, yepakati interlayer saiti keepassstacking.site yakatsanangurwa sechinhu chikuru chinongedzo mubhuroko rekushambadza, iro rinodzosera vashandisi vanosangana nemamwe maitiro kune dummy domain "ķeepass. .info”.
Dhizaini yesaiti yedummy yakashongedzwa kuti ifanane neyepamutemo KeePass webhusaiti, asi yakachinjika kuita zvehasha kusundira kurodha chirongwa (kuzivikanwa uye chimiro chewebhu webhusaiti zvakachengetwa). Peji yekurodha yeWindows papuratifomu yakapa msix yekumisikidza ine yakaipa kodhi yakauya neanoshanda siginecha yedhijitari. Kana iyo faira yakadhawunirodherwa yakaitwa pane yemushandisi sisitimu, a FakeBat script yakatangwa zvakare, kurodha zvinhu zvakashata kubva kune yekunze server kurwisa sisitimu yemushandisi (semuenzaniso, kubata zvakavanzika data, kubatanidza kune botnet, kana kutsiva crypto chikwama nhamba mu. iyo clipboard).
Source: opennet.ru