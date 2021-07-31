



Scammers were found using clever sleight of hand to spoof the Brave browser website and use it in Google Ads to push malware that controls the browser and steals sensitive data. ..

The attack worked by registering the domain xn--brav-yva[.]An encoded string representing brav using what is known as com, punycode[.]com is a name that is confusing with brave.com, where people download the Brave browser when it appears in the browser’s address bar.Brab[.]com (note the letter E accent) was an almost perfect replica of brave.com, with one important exception.[Braveのダウンロード]The button got the file that installed the malware known as both ArchechClient and SectopRat.

10 seconds flat from Google to malware

Scammers have purchased Google ads that appear when users search for something related to their browser to increase traffic to fake sites. The ad looked good enough. As the image below shows, the domain displayed in one ad was mckelveytees.com, a site that sells professional apparel.

However, when people clicked on one of the ads, the ad was displayed through several intermediate domains until they finally reached the brave.[.]com. Jonathan Sampson, a web developer working on Brave, said the downloadable file has an ISO image with a size of 303MB. There was a single executable file inside.

VirusTotal quickly showed a few antivirus engines that detect ISOs and EXEs. At the time this post was published, the ISO image had 8 detections and the EXE had 16 detections.

The detected malware has several names, such as ArchechClient and SectopRat. According to a 2019 analysis by security firm GData, remote-access Trojans can stream users’ current desktops and create a second hidden desktop that attackers can use to browse the Internet. It was a wooden horse.

In a subsequent analysis published in February, G Data said the malware was updated with new features such as encrypted communication with attacker-controlled command and control servers. Another analysis found features such as connecting to a C2 server, profiling the system, and stealing browser history from browsers such as Chrome and Firefox.

As shown in this passive DNS lookup from a DNSDB Scout, the IP address that hosted the fake Brave site is xn--ldgr-xvaj.com, xn--sgnal-m3a.com, xn--, etc. Hosting another suspicious punycode domain. teleram-ncb.com, and xn--brav-8va.com. These are converted to ldgr.com, sgnal.com teleram.com, and brav.com, respectively. All domains were registered via NameCheap.

Old attack still in its heyday

Martijn Grooten, head of threat intelligence investigations at security firm Silent Push, suspected that the attackers behind the scam might have hosted other similar sites on other IPs. He used a silent push product to search for other punycode domains registered through NameCheap and used the same web host. He also attacked seven suspicious additional sites.

The result, including punycode and the translated domain, is as follows:

xn--screncast-ehb.com screncast.com xn--flghtsimulator-mdc.comflghtsimulator.com. xn--brav-eva.combrav.com xn--xodus-hza.comxodus.com xn--tradingvew-8sb.comtradingvew.com xn--torbrwser-zxb.comtorbrwser.com xn--tlegram-w7a.comtlegram.com

When Brave caught the company’s attention with malicious ads, Google removed the malicious ads. NameCheap removed the malicious domain after receiving the notification.

One of the most annoying things about these attacks is how difficult it is to detect them. The fraudster’s site has a valid TLS certificate because the attacker has full control over the punycode domain. Even security-conscious people can be fooled if the domain hosts an exact replica of a spoofed website.

Unfortunately, there is no clear way around these threats, other than taking a few extra seconds to inspect the URLs that appear in the address bar. Attacks using punycode-based domains are nothing new. This week, Brave.com spoofing suggests that they won’t be out of fashion anytime soon.

