Scammers have been caught using clever sleight of hand to impersonate the website for the Brave browser and use it in Google ads to push malware that takes control of browsers and steals sensitive data.
The attack worked through the domain xn--brav-yva . to register[.]com, an encoded string that uses what is known as punycode to represent bravė[.]com, a name that, when displayed in the browser’s address bars, is confusingly similar to brave.com, where people download the Brave browser. brave[.]com (note the accent above the letter E) was almost a perfect replica of brave.com, with one crucial exception: the “Download Brave” button grabbed a file that installed malware known as ArechtClient and SectopRat.
From Google to malware flat in 10 seconds
To drive traffic to the fake site, the scammers bought ads on Google that were displayed when people searched for things using browsers. The ads looked benign enough. As the images below show, the domain displayed for one ad was mckelveytees.com, a site that sells clothing for professionals.
But when people clicked on one of the ads, they were taken through several intermediate domains until they finally landed on bravė[.]com. Jonathan Sampson, a web developer working on Brave, said the file to download was a 303 MB ISO image. Inside was a single executable file.
VirusTotal immediately showed a handful of antimalware engines detecting the ISO and EXE. At the time this post went live, the ISO image had eight detections and the EXE had 16.
The malware detected is under various names, including ArechClient and SectopRat. A 2019 analysis by security firm G Data found that it was a remote access trojan that could stream a user’s current desktop or create a second invisible desktop that attackers could use to browse the web.
In a follow-up analysis published in February, G Data said the malware had been updated to add new features and capabilities, including encrypted communications with attacker-controlled command and control servers. A separate analysis found that it had “capabilities such as connecting to C2 server, profiling the system, stealing browser history from browsers such as Chrome and Firefox.”
As evidenced by this DNSDB Scout passive DNS lookup, the IP address hosting the fake Brave site hosted other suspicious punycode domains, including xn--ldgr-xvaj.com, xn--sgnal-m3a.com , xn-- teleram-ncb.com, and xn--brav-8va.com. These translate into lędgėr.com, sīgnal.com teleģram.com and bravę.com respectively. All domains are registered through NameCheap.
An old attack still at its peak
Martijn Grooten, head of threat intelligence research at security firm Silent Push, wondered if the attacker behind this scam had hosted other similar sites on different IPs. Using a Silent Push product, he searched for other punycode domains registered through NameCheap and using the same web host. He hit on seven additional sites that were also suspicious.
The results, including the puny code and the translated domain, are:
- xn--screncast-ehb.com—screēncast.com
- xn--flghtsimulator-mdc.com—flghtsimulator.com.
- xn--brav-eva.com—bravē.com
- xn--xodus-hza.com—ēxodus.com
- xn--tradingvew-8sb.com-tradingvīew.com
- xn--torbrwser-zxb.com—torbrōwser.com
- xn--tlegram-w7a.com—tēlegram.com
Google removed the malicious ads as soon as Brave brought them to the company’s attention. NameCheap removed the malicious domains after receiving a notification.
One of the devilish things about these attacks is how hard they are to detect. Since the attacker has full control over the punycode domain, the rogue site has a valid TLS certificate. When that domain hosts an exact replica of the counterfeit website, even security-conscious people can be fooled.
Unfortunately, there are no obvious ways to avoid these threats other than taking a few extra seconds to inspect the URL as it appears in the address bar. Attacks with punycode-based domains are nothing new. This week’s impersonation of Brave.com suggests they won’t go out of style anytime soon.