Fake ‘KeePass’ Password Manager Site Found Distributing Adware

A French site advertising itself as a KeePass Password manager was found spreading malware. The site is called, keepass{.}com is part of a large network of sites distributing adware to unsuspecting users.

Adware are programs which feature advertisements on websites you visit. The purpose of adware is to collect and sell data. Adware collect this information only with the user’s consent and should not be confused for trojans. However, in this case adware displayed on certain websites were wrapped with malware.

Security researcher, Berk Cem Goksel, discovered that malicious sites were offering adware bundles. Many of these bundles are embedded with password stealing trojans, ransomware, backdoors, and miners. Also, the malware files have the extension: .dmg and .exe.

He commented on twitter saying:

“keepass(dot)com spreading malware acting as the official site for KeePass password manager. Download for .dmg and .exe files are available on the site.”

The advertisements were selling software like 7zip, Inkscape, Gparted, Stellarium, Paint.Net, Scribus, Audacity, Celestia, KeePass, Notepad2, UNetBootIn, Gimp, HandBrak, CloneZilla, etc.

The site, keepass was selling the KeePass password managers for windows, windows portable, Mac, and Linux. When users went to download the Windows, Windows portable, and Mac versions of the password manger the links pointed to adware bundles. However, when users download the Linux version they are sent to a valid site.

The malicious links pointed users to cdndownloadapr.com, which contained the adware bundles. Further, all the websites selling the software contained the same malicious file. All the downloads had different names, but the same MD5 hash. Additionally, all bundles are currently digitally signed by the company ‘In Profit Limited’. However, the company name used in the signatures change frequently.

Moreover, when user’s download the bundles the adware collects information about the computer. Information can include location, hardware used, if a VPN is used, or if it is an admin machine. The ads sent to your computer are decided based on the information collected.

It is recommended that when downloading and installing software to always do so from trusted, sites. If offers begin to pop up, cancel the installation right away.

 

Contact LIFARS immediately if your organization was hit with malware