KeePass is having its users targeted by a new malvertising campaign leveraging Google Ads to promote a fraudulent site for the open-source password manager, according to SiliconAngle.
After leveraging the Punycode character encoding system to register a fake domain that concealed an additional character in the keepass[.]info domain to closely resemble the legitimate site, threat actors were able to promote the fraudulent site on top of Google's search results, a report from Malwarebytes Labs showed. Clicking on the fake site facilitated the deployment of a digitally signed .msix installer, which includes PowerShell code for distributing the FakeBat malware family, researchers noted.
"While Punycode with internationalized domain names has been used for years by threat actors to phish victims, it shows how effective it remains in the context of brand impersonation via malvertising. Users are first deceived via the Google ad that looks entirely legitimate and then again via a lookalike domain," said researchers.
KeePass exploited in new malvertising campaign
KeePass is having its users targeted by a new malvertising campaign leveraging Google Ads to promote a fraudulent site for the open-source password manager, according to SiliconAngle.
Such a breach was conducted through SIM swapping, with Eric Council Jr., also known as Easymunny, Ronin, and AGiantSchnauzer, and his co-conspirators crafting a false identity using information from a third party with access to SEC's X account, the indictment showed.