Site Promoting KeePass Password Manager Pushes Malware

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
A site that pretends to promote the popular KeePass password management software is actually distributing malware on unsuspecting visitors. This site is part of a larger network of sites distributing adware bundles as free programs.

Last year, we reported that fake sites were created to promote popular software, but when we analyzed the distributed files, we found that they were pushing adware bundles on unsuspecting visitors.

These sites were promoting software such as 7zip, Inkscape, Gparted, Paint.Net, Scribus, Audacity, Stellarium, Celestia, CloneZilla, KeePass, Notepad2, UNetBootIn, Gimp, HandBrak, and many more.

One of these sites, keepass.com, was discovered again this week and it, and many of the other known sites, are still distributing malware a year later.

While many consider adware bundles more of a nuisance than actual malware, this is not true. Many of the adware bundles we see today include offers that include password stealing trojans, miners, ransomware, and backdoors.

Adware is commonly spread through fake sites that pretend to distribute cracks, warez, and legitimate software, but when users download the programs they discover that the bundles are filled with "offers" that are installed as well.

For example, keepass.com looks like a legitimate site that is promoting the KeePass password management software.

Keeepass.com Site
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,456
Another case that shows how important it is to try get software from it's main source, or at least from a well known. Using a domain and even https is real smart, because it will for sure lure people to download and install it.

KeePass genuine site/url.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,730
Another case that shows how important it is to try get software from it's main source, or at least from a well known. Using a domain and even https is real smart, because it will for sure lure people to download and install it.

KeePass genuine site/url.

I honestly don’t understand why people download software from anywhere but the developer’s site, if they have one. Or from official links from dev’s to their github etc. Generally just googling (or whatever search you use, though in this case google is good at filtering) will show the developer’s site first.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,730
Sadly the url/site is shown as number 5 in a Google search. Google can easy eradicate this kind of sites, if they want.
3sMILyNR_o.png

That is unfortunate, however personally I’d be checking the hits higher up first. Most people could use to research what they’re downloading first. But, a company such as google should have already filtered this junk out by now. I didn’t go that far down the list when I peeked.

Also, even legitimate sites can be compromised. That’s why I wish more companies would publish checksums.
 

JM Safe

Level 39
Verified
Top Poster
Apr 12, 2015
2,882
Unfortunately deceptive sites are popular to spread malware or also to get sensitive information from users. That's a serious issue. It is always good, as already mentioned, to download a software from the official homepage of the product or also from well known download sites.

Thanks for sharing this @silversurfer :)
 

Freki123

Level 15
Verified
Top Poster
Aug 10, 2013
737
Also, even legitimate sites can be compromised. That’s why I wish more companies would publish checksums.
I realy like checksums. You can take the devs checksum and load the program from another legit website . If they don't match better be careful.
 
  • Like
Reactions: blackice

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top