Google ads for KeePass, Notepad++ lead to malware

Users using Google to search for and download the KeePass password manager and the Notepad++ text editor may have inadvertently gotten saddled with malware, says Jérôme Segura, Director of Threat Intelligence at Malwarebytes.

Malvertising via search engine ads is a constant, evolving threat that seemingly never goes away and, according to Malwarebytes, it’s ramping up again.

“Threat actors are successfully applying evasion techniques that bypass ad verification checks and allow them to target certain types of victims,” he says.

KeePass as a lure

Malware peddlers have a number of clever tricks up their sleeve to make the malicious ads and the sites they lead to look legitimate.

In a recent campaign spotted by Segura, they are using Punycode – a special character encoding that converts Unicode characters to ASCII – to impersonate KeePass’ official website, which can be found at keepass.info.

“The malicious advert shows up when you perform a Google search for ‘keepass’, the popular open-source password manager. The ad is extremely deceiving as it features the official Keepass logo, URL and is featured before the organic search result for the legitimate website,” he explained.

By clicking on the ad, users are redirected to a site located at xn--eepass-vbb[.]info, but rendered as ķeepass[.]info by browsers. “While it is barely noticeable, there is a small character under the ‘k’,” he pointed out.

Converting Punycode to ASCII (Source: Malwarebytes)

The malicious site looks very similar to the legitimate one and victims think they are downloading KeePass but are actually downloading a digitally signed malicious .msix installer that will trigger the download of malware.

Notepad++ as a lure

In another campaign, a variety of Google search ads for Notepad++ pushed via different ad accounts lead some users to a replica of the real Notepad++ website.

To avoid scrutiny by more tech savvy users and researchers, though, the ads redirect users who use VPNs or a system that runs emulators or virtual machines either to a decoy site or the legitimate one.

In the former group, each potential victim is assigned a unique ID that will allow them to download the malicious payload. “This is likely for tracking purposes but also to make each download unique and time sensitive,” Segura explained.

Malwarebytes could not get their hands on the actual final payload whose download is triggered by the downloaded .hta file, but it’s likely malware that allows attackers to access victims’ machines.

Advice for consumers and businesses

Malvertising via search engines is getting more sophisticated,” Segura concluded.

“For end users this means that it has become very important to pay close attention where you download programs from and where you should avoid them. In a business environment, we recommend IT admins provide internal repositories where employees can retrieve software installers safely.”