A Google Ads campaign was found pushing a fake KeePass download site that used Punycode to appear as the official domain of the KeePass password manager to distribute malware.
Google has been battling with ongoing malvertising campaigns that allow threat actors to take out sponsored ads that appear above search results.
Even worse, Google Ads can be abused to show the legitimate domain for Keepass in the advertisements (https://www.keepass.info), making the threat hard to spot even for more diligent and security-conscious users.
Those who click on the malicious link will pass through a series of system-profiling redirections that filter out bot traffic and sandboxes to arrive at the fake KeePass website using a Punycode URL, https://xn--eepass-vbb[.]info/, as shown below.
Malwarebytes, which discovered this campaign, notes that the abuse of Punycode for cybercrime isn't novel. However, its combination with Google Ads abuse can signify a new dangerous trend in the field.
Punycode trick
Punycode is an encoding method used to represent Unicode characters, helping convert hostnames in non-Latin scripts (Cyrillic, Arabic, Greek, Chinese, etc.) to ASCII to make them understandable to the DNS (Domain Name System).
For example, "München" would be converted to "Mnchen-3ya," "α" would become "mxa," "правда" would be "80aafi6cg," and "도메인" would become "hq1bm8jm9l."
Threat actors abuse Punycode to register domain names that appear similar to legitimate sites but with one character using unicode, to look slightly different.
These types of attacks are called "homograph attacks." In the one spotted by Malwarebytes, the threat actors use the Punycode "xn—eepass-vbb.info" which converts to "ķeepass.info," the project's genuine domain, but with a minor intonation underneath the character "ķ."
This tiny visual glitch is unlikely to be perceived by most users visiting the decoy site but is a giveaway of the technique used in this case.
Those clicking on any download links embedded on the fake site receive a digitally-signed MSI installer called 'KeePass-2.55-Setup.msix' that includes a PowerShell script associated with the FakeBat malware loader.
While Google has removed the original Punycode advertisement seen by Malwarebytes, additional ongoing KeePass ads found in the same malware campaign.
This advertisement, though, leads to a domain called keeqass[.]info, as shown in the image below.
Like the Punycode domain, this site pushes the same MSIX file that includes the same FakeBat PowerShell script to download and install malware on the Windows device.
In BleepingComputer's tests, when executed, the FakeBat PowerShell script will download a GPG-encrypted RAR archive, decrypt it, and extract it to the %AppData% folder.
In the file analyzed by BleepingComputer, the script will launch a file named 'mergecap.exe' from the archive.
An Intel471 report from early 2023 explained that FakeBat is a malware loader/dropper associated with malvertizing campaigns since at least November 2022.
The final malware payload delivered in the campaign seen by Malwarebytes isn't determined, but a Sophos report from July 2023 links FakeBat with infostealers like Redline, Ursniff, and Rhadamathys.
Other popular software impersonated have been found in this malware campaign, including WinSCP and PyCharm Professional.