Threat Research

Clever malvertising attack uses Punycode to look like KeePass’s official website

Securonix

Threat actors leveraged malvertising and a Punycode-based domain to impersonate KeePass, directing users to a lookalike site. The campaign delivers a malicious MSIX installer signed to look legitimate, which runs PowerShell code linked to the FakeBat family and connects to a C2 server for future recon. Hashtags: #KeePass #FakeBat

Keypoints

  • Malvertising campaign targeting KeePass users via a deceptive Google ad.
  • Use of a copycat internationalized domain name with Punycode to masquerade as KeePass.
  • Ad cloaking to filter sandboxes, bots, and non-genuine victims.
  • Temporary domain keepasstacking.site redirects to the final malicious destination.
  • Decoy site links to a malicious MSIX installer for KeePass, with a valid digital signature.
  • Installer contains PowerShell code belonging to FakeBat and contacts a C2 server for victim recruitment and payload delivery.

MITRE Techniques

  • [T1189] Drive-by Compromise – Malvertising and a deceptive Google ad lure users to a malicious site. Quote: “The malicious advert shows up when you perform a Google search for ‘keepass’, the popular open-source password manager.”
  • [T1036] Masquerading – Copycat internationalized domain using Punycode to masquerade as KeePass. Quote: “The malicious actors registered a copycat internationalized domain name that uses Punycode, a special character encoding, to masquerade as the real KeePass site.”
  • [T1059.001] PowerShell – Malicious PowerShell code embedded in the installer used by the threat actors. Quote: “malicious PowerShell code that belongs to the FakeBat malware family.”
  • [T1105] Ingress Tool Transfer – The decoy leads to a download of a malicious KeePass installer, followed by payload delivery. Quote: “Victims wanting to download KeePass will retrieve a malicious .msix installer that is digitally signed.”
  • [T1071.001] Web Protocols – The malware communicates with a command and control server to recruit victims and fetch payloads. Quote: “This script communicates with the malware’s command and control server to advertise the new victim before downloading a payload that sets the stage for future recon by human threat actors.”

Indicators of Compromise

  • [Domain] Ad domain/redirect – keepasstacking.site, xn--eepass-vbb.info
  • [Domain] Malicious KeePass site – xn--eepass-vbb.info (also used for the download path)
  • [URL] Malicious KeePass download – https://xn--eepass-vbb.info/download/KeePass-2.55-Setup.msix
  • [Domain] C2 / payload receiver – 756-ads-info.xyz
  • [URL] Malicious payload host – https://refreshmet.com/Package.tar.gpg
  • [Hash] Malicious installer hash – 181626fdcff9e8c63bb6e4c601cf7c71e47ae5836632db49f1df827519b01aaa

Read more: https://www.malwarebytes.com/blog/threat-intelligence/2023/10/clever-malvertising-attack-uses-punycode-to-look-like-legitimate-website

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint