Deceptive Google Ads Campaign Exploits Punycode to Promote Malware via Fake KeePass Site

A deceptive Google Ads campaign has been identified, promoting a fraudulent KeePass download site through the use of Punycode to mimic the official domain of the KeePass password manager, ultimately distributing malware.

Google has been grappling with persistent malvertising campaigns, enabling malicious actors to place sponsored ads that display above search results. Furthermore, Google Ads can be manipulated to display the authentic domain, making it challenging for even vigilant and security-aware users to discern the threat.

Users who click on the malicious link will be directed through a series of system-profiling redirections designed to filter out bot traffic and sandboxes, ultimately leading to the counterfeit KeePass website with a Punycode URL.

Punycode is an encoding method utilized to represent Unicode characters, facilitating the conversion of hostnames in non-Latin scripts (such as Cyrillic, Arabic, Greek, Chinese, etc.) into ASCII format, making them interpretable by the Domain Name System (DNS).

For instance, “München” would be transformed into “Mnchen-3ya,” “α” would become “mxa,” “правда” would be represented as “80aafi6cg,” and “도메인” would translate to “hq1bm8jm9l.”

Malicious actors exploit Punycode to register domain names that closely resemble legitimate sites, with a single character rendered in Unicode, creating a subtle distinction.

These are commonly referred to as “homograph attacks.” In the case identified by Malwarebytes, the threat actors employed the Punycode “xn—eepass-vbb.info,” which converts to “ķeepass.info,” mimicking the legitimate domain of the project but with a minor diacritical mark beneath the character “ķ.”

While this slight visual anomaly may go unnoticed by most users visiting the imitation site, it exposes the technique employed in this instance. Users who click on any download links embedded on the counterfeit site receive a digitally-signed MSI installer named ‘KeePass-2.55-Setup.msix,’ which includes a PowerShell script associated with the FakeBat malware loader.

To protect against such deceptive campaigns and malware attacks, individuals and organizations should consider the following precautionary measures:

  1. Exercise Caution: Be wary of clicking on ads and download links, especially if they appear in sponsored search results.
  2. Verify URLs: Double-check website URLs for slight irregularities or homograph attacks, such as the use of Punycode, before interacting with them.
  3. Maintain Updated Security Software: Ensure your antivirus and anti-malware tools are up-to-date to detect and block potential threats.
  4. Educate and Train: Educate users and employees about the risks of malvertising, phishing, and deceptive websites, and provide training to recognize these threats.
  5. Regular Backups: Regularly back up critical data to mitigate the impact of potential malware infections or data loss.