



Malicious ads have seduced internet surfers on fake Brave browser websites. The fake website pushed a version of Brave browser containing a copy of the ArchechClient (SectopRAT) malware. Google has removed malicious ads to stop the attack.

An internet surfer trying to download a copy of the Brave browser was fooled by a cleverly spoofed ad and redirected to a malicious website, infecting the system with malware.

The malicious website was on brav.com, where Brave was spelled in small Lithuanian capital letters (with a dot at the top) instead of the usual Latin alphabet e.

Image: @ bcrypt / Twitter

Users who visit a site designed to look like a legitimate Brave portal have downloaded an ISO file that claims to contain the Brave installer.

However, security researcher Bart Blaze told The Record today that after analyzing the malicious files, he not only installed a copy of the Brave browser, but also a version of the ArchechClient (SectopRAT) malware.

The main function of malware is to steal data from browsers and crypto wallets, Blaze said.

It also included several anti-VM and anti-emulator detection features to prevent researchers and security solutions from detecting malicious features.

Users who have installed this malware are advised to reset their web account passwords and transfer cryptocurrency funds to the new address.

Google contacted by email and said it had removed the malicious ads.

There are strong policies that ban ads that try to circumvent enforcement by impersonating the advertiser’s identity or impersonating another brand. In this case, we immediately removed the ad and suspended the advertiser account.

Google spokesperson

In addition, after news of the attack spread online this week, the domain registrar Namecheap used by the attackers removed domains and more from the same threat actors impersonating the Tor and Signal websites.

This is getting a lot of attention today, so I’d like to add that Namecheap immediately removed malicious domains (Brave, Tor, Signal, etc.) and Google blocked ads shortly after these tweets disappeared. ..

Thanks to twitterverse for keeping people safe

— Yan (@bcrypt) July 30, 2021

These types of attacks are called IDN homograph attacks and occur when a threat attacker registers a domain using international characters that resemble the classical Latin alphabet.

Attacks targeting Brave users have occurred for more than a decade since internationalized glyphs were approved for use in domain names, and browser makers use Punycode to spell these non-standard characters. It corresponds by.

For example, a malicious brav.com domain will be equivalent to xn--brav-epa.com when loaded into a modern browser, but if the user does not pay attention to the address bar, the malicious payload You may have downloaded.

Last year, the company saw 966 million ads that used a variety of technologies to attack users and mask their intentions to bypass Google’s advertising policy, according to Google’s annual ad safety report.

Catalin Cimpanu is The Record’s cybersecurity reporter. He previously worked for ZDNet and Bleeping Computer. It has become famous in the industry for its constant investigation into new vulnerabilities, cyberattacks, and law enforcement measures against hackers.

