A Military Security Investigator accidentally discovered a group of sites with the familiar tactic typosquatting distributed software that contained adware. The programs were authentic and they were functioning properly, but they contained malicious add-ons.
The first of these sites was discovered by Ivan Kwiatkowski. The malicious domain was keptass.fr, which seems to be a copy of keepass.info.
By downloading the Keepass executable file from keepass.fr, the user received a fully functional version of Keepass, but installed InstallCore adware.
This type of adware works as an add-on over an existing installation file, and displays its options when you run Setup. Thus, the program asks the user if they are interested in installing third programs such as AVG Antivirus shown in the figure below. For each third-party installation that is being made, the program creator (in this case keepass.fr) earns some money.
Some of these third programs proposed for installation are authentic and safe, such as AVG Antivirus. In other cases, however, adware, crypto miners, browser hijackers and more have been promoted.
But the fake keepass.fr site is not the only one of its kind. It's part of a large list of misleading domains, all registered with the same email. Other domains contained copies of programs such as 7zip, paint.net, inkscape, scribus, GParted, Audacity, Filezilla, Truecrypt, Blender, AdBlock.
Most domains were registered using .fr or .es TLD's, and their content was mainly available in French and Spanish.
According to Ivan, all these sites seem to be hosted on the same server, which means they will be easy to remove.
The list of malicious sites is as follows: