Google has confirmed to be suffering from an ongoing malvertising campaign which has enabled hackers to take out sponsored ads that appear above search results. In the campaign, Google Ads can also be exploited to display the official KeePass domain in the advertisements (https://www.keepass.info), making it difficult for even the most vigilant and security-conscious consumers to identify the problem.
Online victims who end up clicking on the malicious links navigate through a series of system-profiling redirections that block bot traffic and sandboxes, as illustrated below.
Malwarebytes, which identified this campaign points out that using Punycode for cybercrime is nothing new. However, when combined with Google Ads misuse, it may indicate a new, risky pattern in the industry.
Punycode is an encoding tactic to represent Unicode characters, that helps translate hostnames in any non-Latin script to ASCII so that the DNS (Domain Name System) can interpret them.
For instance, "München" will be converted to "Mnchen-3ya," "α" becomes "mxa," "правда" will be "80aafi6cg," and "도메인" will become "hq1bm8jm9l."
Actors who threaten to abuse Punycode uses Unicode to add one character to domain names that are identical to those of legitimate websites in order to make them appear slightly different.
These types of attacks are labelled as “homograph attacks.” Malwarebytes discovered that the threat actors were using the Punycode "xn—eepass-vbb.info" to transform to "eepass.info," the project's actual domain, but with a little intonation beneath the character "."
Although it is unlikely that most users who visit the decoy site will notice this little visual flaw, it serves as a clear indication of the approach taken in this situation.
The digitally-signed MSI installation 'KeePass-2.55-Setup.msix' that is downloaded by those who click on any download links featured on the false website includes a PowerShell script related to the FakeBat malware loader.
While Google has taken down the original Punycode advertisement, several other ongoing KeePass ads have also been found in the same malware campaign.
This advertisement leads to a domain named ‘keeqass[.]info,’ which executes the same MSIX file that contains the identical FakeBat PowerShell script to download and install malware on the Windows device, just like the Punycode domain.
Apparently, when executed, the FakeBat PowerShell script downloads a GPG-encrypted RAR archive, decrypts it, and extracts it to the %AppData% folder.
Moreover, in the file analyzed by BleepingComputer, the script launches a file called 'mergecap.exe' from the archive.
According to an Intel471 report from early 2023, FakeBat is a malware loader/dropper connected to malvertising activities from at least November 2022.
While Malwarebytes was unable to identify the final malware payload delivered in the campaign, a Sophos report from July 2023 links FakeBat with infostealers like Redline, Ursniff, and Rhadamathys.