A French security researcher has stumbled upon an adware delivery scheme that involves clone websites that use legitimately-looking domain names to trick victims into downloading famous apps, but which are actually laced with adware.

The first of these websites was discovered three days ago by Ivan Kwiatkowski. This website was located at keepass.fr, a domain name trying to pass as the app's official site located at keepass.info.

Apps downloaded from these sites push InstallCore adware

The version of Keepass downloaded from this fake website contained a legitimate and fully-working version of the password manager, but also the InstallCore adware [1, 2].

This type of adware is a modular threat that works by bundling free software with third-party "offers" as part of the application's installation process. For example, here's a version of the ImgBurn bundle prompting users to install a free version of the AVG antivirus. For every successful installation of an additional program, the adware bundler earns a commission.

Some of these "offers" are legitimate apps, but these types of software bundles have also been known to push apps that are more malicious in nature. For example, in the past, bundles have pushed cryptocurrency miners, adware, search hijackers, tab hijackers, and others.

After these offers have been accepted, declined, and installed, the bundler will then install the free application that the users was expecting.

Tens of similar websites discovered

The fake Keepass.fr website was not the only such site. It was part of a larger collection of typosquatted domains, all registered using the same email address.

Other domains registered by this individual/group tried to pose as websites for other famous software such as 7Zip, Paint.net, Inkscape, Scribus, GParted, Celestia, Audacity, Filezilla, Truecrypt, Blender, AdBlock, and more.

Most of these domains were registered using a .fr or .es TLD. The content on these sites was also available only in French or Spanish, suggesting the person behind these sites was trying to push the adware-infested apps to French-speaking or Spanish-speaking users only. A few sites were also available using international TLDs, and in English.

Below are sites that pushed copies of legitimate software bundled with this adware:

keepass.fr

7zip.fr

inkscape.fr

gparted.fr

clonezilla.fr

paintnet.fr

greenshot.fr

scribus.fr

audacity.es

stellarium.fr

celestia.fr

celestia.es

azureus.es

clonezilla.es

inkscape.es

paintnet.es

handbrake.es

gimp.es

thunderbird.es

unetbootin.org

unetbootin.net

notepad2.com

keepass.com

The sites below pushed clean copies of the legitimate software, but this doesn't mean they didn't push adware-infested versions in the past.

audacity.fr

filezilla.fr

truecrypt.fr

blender3d.fr

grooveshark.fr

adblock.fr

qbittorrent.com

According to Kwiatkowski, all these sites appear to be hosted on the same server, making the entire operation susceptible to an easy takedown.

You can also add https://t.co/KP9klhoiR3 to the list. All seem to point to a single machine: 185.46.231.54. — Ivan Kwiatkowski (@JusticeRage) July 27, 2018

For situations like these, some basic advice is necessary. When downloading any software, even from official websites, it is recommended to scan the software with an antivirus, or upload it on VirusTotal for a quick check-up. VirusTotal may not be perfect, but it will detect some threats and spare users from occasional headaches.