Scammers have been caught using a clever sleight of hand to impersonate the Brave browser website and use it in Google ads to drive malware that takes control of browsers and steals sensitive data.
The attack worked by registering the xn domain – brav-yva[.]com, an encoded string using what is known as punycode to represent brave[.]com, a name that when displayed in browser address bars is confusingly similar to brave.com, where people download the Brave browser. Brave[.]com (note the accent on the letter E) was almost a perfect replica of brave.com, with one crucial exception: the “Download Brave” button grabbed a file that installed malware known as ArechClient and SectopRat.
From Google to Malware in 10 Plain Seconds
To drive traffic to the fake site, the scammers bought ads on Google that were displayed when people searched for browser-related things. The ads seemed pretty benign. As the images below show, the domain displayed for an ad was mckelveytees.com, a site that sells clothing for professionals.
But when people clicked on one of the ads, it led them through various intermediary domains until they finally landed on bravė[.]com. Jonathan Sampson, a web developer working at Brave, said the file available for download was a 303MB-size ISO image. Inside was a single executable.
The detected malware goes by various names, including ArechClient and SectopRat. TO 2019 analysis from the security firm G Data discovered that it was a remote access Trojan that was capable of transmitting a user’s current desktop or creating an invisible second desktop that attackers could use to surf the Internet.
in a follow-up analysis Posted in February, G Data said the malware had been updated to add new features and capabilities, including encrypted communications with command and control servers controlled by attackers. TO separate analysis it discovered that it had “capabilities like connecting to the C2 server, profiling the system, stealing browser history from browsers like Chrome and Firefox.”
As shown in this passive DNS lookup from DNSDB Scout, the IP address that was hosting the fake Brave site has been hosting other suspicious puny code domains, including xn--ldgr-xvaj.com, xn – sgnal-m3a. com, xn-- teleram-ncb.com and xn--brav-8va.com. These translate to lędgėr.com, sīgnal.com teleģram.com and bravę.com, respectively. All domains were registered through NameCheap.
An old attack that is still in its prime
Martijn Grooten, a researcher at the security company Silent Push, wondered if the attacker behind this scam had hosted similar sites on other IP addresses. Using a Silent Push product, he searched for other puny code domains registered through NameCheap and using the same web server. It hit seven additional sites that were also suspicious.
The results, including puny code and translated domain, are:
- xn – screncast-ehb.com – screēncast.com
- xn – flghtsimulator-mdc.com – flīghtsimulator.com.
- xn – brav-eva.com – bravē.com
- xn – xodus-hza.com – ēxodus.com
- xn – tradingvew-8sb.com – tradingvīew.com
- xn – tlegram-w7a.com – tēlegram.com
Google removed the malicious ads once Brave brought them to the company’s attention. NameCheap removed the malicious domains after receiving a notification.
One of the most evil things about these attacks is how difficult they are to detect. Because the attacker has full control over the punycode domain, the imposter’s site will have a valid TLS certificate. When that domain hosts an exact replica of the spoofed website, even security-conscious people can be fooled.
Unfortunately, there are no clear ways to avoid these threats other than taking a few extra seconds to inspect the URL as it appears in the address bar. Attacks using punycode-based domains are nothing new. This week’s Brave.com spoof suggests they’re not going to go out of style any time soon.