Beware - this fake KeePass download site is just spreading malware

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Hackers are getting creative with malicious Google Ads campaigns, with a new scam spotted by cybersecurity researchers Malwarebytes meaning even more eagle-eyed visitors could fall prey and end up accidentally installing malware.

Hackers were spotted distributing malware by impersonating the KeePass password manager, initially by creating a website that looks almost identical to the genuine KeePass offering, and offer a program for download that looks and feels like the genuine article. 

However, in this case, the program would also come with the PowerShell script associated with the FakeBat malware loader, essentially compromising the endpoint.


But that’s just half the work. The other half means getting people to visit the site. To do that - the crooks create malicious Google Ads. Usually, they would compromise an active Google Ads account (or buy one on the black market) and use it to set up a new campaign. When setting up this campaign, they would use Punycode to hide the malicious website’s URL and make it look genuine.

Punycode is an encoding standard built for internationalized domain names. In other words, it allows people to show words in ASCII that cannot be written in ASCII, bringing in non-Latin scripts (Cyrillic, or Chinese) into the Domain Name System (DNS).

With Punycode, the website’s true URL - "xn—" would be displayed as "ķ". You might have not spotted it, but there’s a little dot below the letter k. And that’s how the threat actors get people to visit a fake site, thinking it’s real.

Malwarebytes notified Google of the trick and the search engine giant removed the malicious campaign. However, there are other similar campaigns out there that are still active, and probably plenty more of which cybersecurity researchers aren’t aware. It’s very important for users to be very careful when accessing sites through the search engine and always double-check the address in the URL bar.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.