KeePass exploited in new malvertising campaign

KeePass is having its users targeted by a new malvertising campaign leveraging Google Ads to promote a fraudulent site for the open-source password manager, according to SiliconAngle. After leveraging the Punycode character encoding system to register a fake domain that concealed an additional character in the keepass[.]info domain to closely resemble the legitimate site, threat actors were able to promote the fraudulent site on top of Google's search results, a report from Malwarebytes Labs showed. Clicking on the fake site facilitated the deployment of a digitally signed .msix installer, which includes PowerShell code for distributing the FakeBat malware family, researchers noted. "While Punycode with internationalized domain names has been used for years by threat actors to phish victims, it shows how effective it remains in the context of brand impersonation via malvertising. Users are first deceived via the Google ad that looks entirely legitimate and then again via a lookalike domain," said researchers.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.