Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label KeePass. Show all posts

Fraudulent KeePass Site Uses Google Ads and Punycode to Transfer Malware


A Google Ads campaign was discovered promoting a phoney KeePass download site that transferred malware by posing as the real KeePass domain using Punycode. 

Google has confirmed to be suffering from an ongoing malvertising campaign which has enabled hackers to take out sponsored ads that appear above search results. In the campaign, Google Ads can also be exploited to display the official KeePass domain in the advertisements (https://www.keepass.info), making it difficult for even the most vigilant and security-conscious consumers to identify the problem. 

Online victims who end up clicking on the malicious links navigate through a series of system-profiling redirections that block bot traffic and sandboxes, as illustrated below. 

Malwarebytes, which identified this campaign points out that using Punycode for cybercrime is nothing new. However, when combined with Google Ads misuse, it may indicate a new, risky pattern in the industry. 

Punycode Trick 

 Punycode is an encoding tactic to represent Unicode characters, that helps translate hostnames in any non-Latin script to ASCII so that the DNS (Domain Name System) can interpret them.

For instance, "München" will be converted to "Mnchen-3ya," "α" becomes "mxa," "правда" will be "80aafi6cg," and "도메인" will become "hq1bm8jm9l."

Actors who threaten to abuse Punycode uses Unicode to add one character to domain names that are identical to those of legitimate websites in order to make them appear slightly different.

These types of attacks are labelled as “homograph attacks.” Malwarebytes discovered that the threat actors were using the Punycode "xn—eepass-vbb.info" to transform to "eepass.info," the project's actual domain, but with a little intonation beneath the character "."

Although it is unlikely that most users who visit the decoy site will notice this little visual flaw, it serves as a clear indication of the approach taken in this situation.

The digitally-signed MSI installation 'KeePass-2.55-Setup.msix' that is downloaded by those who click on any download links featured on the false website includes a PowerShell script related to the FakeBat malware loader.

While Google has taken down the original Punycode advertisement, several other ongoing KeePass ads have also been found in the same malware campaign.

This advertisement leads to a domain named ‘keeqass[.]info,’ which executes the same MSIX file that contains the identical FakeBat PowerShell script to download and install malware on the Windows device, just like the Punycode domain.

Apparently, when executed, the FakeBat PowerShell script downloads a GPG-encrypted RAR archive, decrypts it, and extracts it to the %AppData% folder.

Moreover, in the file analyzed by BleepingComputer, the script launches a file called 'mergecap.exe' from the archive.

According to an Intel471 report from early 2023, FakeBat is a malware loader/dropper connected to malvertising activities from at least November 2022.

While Malwarebytes was unable to identify the final malware payload delivered in the campaign, a Sophos report from July 2023 links FakeBat with infostealers like Redline, Ursniff, and Rhadamathys.  

KeePass Vulnerability: Hackers May Have Stolen the Master Passwords


One would expect an ideal password manager to at least keep their users’ passwords safe and secure. On the contrary, a new major vulnerability turned out to be putting the KeePass password manager users at serious risk of their passwords being breached.

Apparently, the vulnerability enables an attacker to extract the master password from the target computer's memory and take it away in plain text, or in other words, in an unencrypted form. Although it is a fairly easy hack, there are expected to be some unsettling repercussions.

Password managers, like in this case KeePass, lock up a user’s login info encrypted and secure behind a master password in order to keep it safe. The vault is a valuable target for hackers since the user is required to input the master password to access everything within.

How is KeePass Vulnerability a Problem? 

Security researcher 'vdohney,' according to a report by Bleeping Computer, found the KeePass vulnerability and posted a proof-of-concept (PoC) program on GitHub.

With the exception of the initial one or two characters, this tool can almost entirely extract the master password in readable, unencrypted form. Even if KeePass is locked and, possibly, if the app is completely closed, it is still capable of doing this.

All this is because the vulnerability extracts the master password from KeePass’s memory. This can be acquired, as the researcher says, in a number of ways: “It doesn’t matter where the memory comes from — can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys) or RAM dump of the entire system.”

The exploit is only possible due to some custom code KeePass uses. Your master password is entered in a unique box named SecureTextBoxEx. Despite its name, it turns out that this box is actually not all that secure since each character that is entered essentially creates a duplicate of itself in the system memory. The PoC tool locates and extracts these remaining characters.

‘A Fix is Incoming’ 

Having physical access to the computer from which the master password is to be taken is the only drawback to this security breach. However, that is not always a problem; as the LastPass vulnerability case demonstrated, hackers can access a target's computer by utilizing weak remote access software installed on the device.

In case a device was infected by a malware, it may as well be set up to dump KeePass's memory and send it and the app's database back to the hacker's server, giving the threat actor time to get the master password.

Fortunately, the developer of KeePass promises that a fix is incoming; one of the potential fixes is to add random dummy text that would obscure the password into the app's memory. It may be agonizing to wait until June or July 2023 for the update to be made available for anyone concerned about their master password being compromised. The fix, however, is also available in beta form and may be downloaded from the KeePass website.