Website impersonating Brave browser caught distributing malware via Google ads
Recently, bad actors were caught using Google ads to promote a malware-laden website that impersonated the official website for the Brave browser. The near-perfect replica of Brave.com encouraged visitors to install remote access malware known as ArechClient or SectopRat. Google has since removed the malicious ads after the legitimate Brave team brought them to the search giant's attention. Here are more details.
Malicious domain name uses Unicode characters to distinguish itself
Brave is a Chromium-based, privacy and security-centric web browser that features an inbuilt ad-blocking tool called Brave Shield. The recently uncovered attack was developed by registering the domain xn--brav-yva.com. This is an encoded string of ASCII characters that translates into the Unicode domain name bravė.com. When displayed in a browser's address bar, this domain name appears similar to the legitimate "brave.com" domain name.
Punycode converts ASCII domain names into Unicode URLs
The encoded string of ASCII characters can be translated into a Unicode-based domain name using a representation method called punycode. This is needed because website URLs can use Unicode characters while a domain name must be registered using just ASCII characters.
Clicking 'Download' on malicious website downloads 303MB malware
The malicious website impersonates the legitimate brave.com website. However, Ars Technica reported that attempting to download the browser's installer initiated the download of an ISO disk image that was 303MB in size and contained a single executable. The ISO image was immediately flagged by eight antivirus engines on VirusTotal while the contained executable file was flagged by 16.
Malware provides bad actors remote access the victim's computer
This flagged malware goes by several names including ArechClient and SectopRat. A 2019 report explained that this remote access Trojan could live-stream the victim's desktop's goings-on to bad actors. A more recent analysis in February reportedly discovered that the malware now features encrypted communications with attacker-controlled command and control servers. It can also steal browser history from Chromium-based browsers, including Firefox and Chrome.
IP address was found impersonating Signal, Telegram as well
The folks at Ars Technica ran a passive DNS search from DNSDB Scout only to discover that the IP address that hosted the fake Brave website had also been hosting domains impersonating Signal and Telegram messaging services. The domains were reportedly registered through NameCheap. Further analysis using a proprietary product from security firm Silent Push uncovered domains impersonating torbrowser.com and flightsimulator.com too.
Malicious links were promoted among search results using Google ads
Additionally, the malicious Brave website links relied on Google ads to bump themselves up to the top spot in Google Search results for "brave." The ad links were reportedly redirected through several intermediary domains until finally landing on the malicious bravė.com website. This highlights that Google doesn't verify the authenticity and credibility of its advertisers. However, Google removed the malicious ads upon Brave's request.
Basic internet hygiene could help you avoid such malicious links
How should one steer clear of such malicious websites, you might ask. Well, it certainly pays to spend a few extra seconds to inspect the URL and domain you're visiting. Secondly, we would advise against using sponsored links in the Search results to visit websites of reputed organizations, products, and services. Sadly, it appears that website impersonation scams could continue.
Why can't we do away with Unicode in domain names?
The most challenging part of detecting fraudulent websites isn't helped by the fact that the malicious links also have valid TLS certificates since they are independently registered domains. Additionally, using Unicode characters for naming domains is necessary because Spanish and non-Latin script users of the world use different Unicode characters to give different meanings to words spelled similarly using ASCII characters.