Fake credential management software spreading Adware

December 16, 2019
keepass adware malware

A website in France posing as a popular credential management software called KeePass Password manager was found spreading malware. The site is called, keepass{.}com is part of a large network of sites distributing adware to unsuspecting users.

Adwares are web programs, specially coded, and made to highlight and feature advertisements on websites you visit. The purpose of adware is to collect and sell data. Adware collects this information only with the user’s consent and should not be confused for trojans. However, in this case adware displayed on certain websites were wrapped with malware.

Security researcher, Berk Cem Goksel, discovered that malicious sites were offering adware bundles. Many of these bundles are embedded with password stealing trojans, ransomware, backdoors, and miners. Also, the malware files have the extension: .dmg and .exe.

The advertisements were selling software like 7zip, Inkscape, Gparted, Stellarium, Paint.Net, Scribus, Audacity, Celestia, KeePass, Notepad2, UNetBootIn, Gimp, HandBrak, CloneZilla, etc.

The site, keepass was selling the KeePass password managers for windows, windows portable, Mac, and Linux. When users went to download the Windows, Windows portable, and Mac versions of the password manger the links pointed to adware bundles. However, when users download the Linux version they are sent to a valid site.

The malicious links pointed users to cdndownloadapr.com, which contained the adware bundles. Further, all the websites selling the software contained the same malicious file. All the downloads had different names, but the same MD5 hash. Additionally, all bundles are currently digitally signed by the company ‘In Profit Limited’. However, the company name used in the signatures change frequently.

 

Moreover, when user’s download the bundles the adware collects information about the computer. Information can include location, hardware used, if a VPN is used, or if it is an admin machine. The ads sent to your computer are decided based on the information collected.

 

While a lot of people consider adware bundles more of a nuisance than actual malware, this is not true. Many of the adware bundles we see today include offers that include password stealing trojans, miners, ransomware, and backdoors.

Adwares are commonly spread through fake sites that pretend to distribute cracks, warez, and legitimate software, but when users download the programs they discover that the bundles are filled with “offers” that are installed as well.

It is recommended that when downloading and installing software to always do so from trusted, sites. If offers begin to pop up, cancel the installation right away.

About the author

Leave a Reply