Scammers have been caught using a clever sleight of hand to impersonate the website for the Brave browser and using it in Google ads to push malware that takes control of browsers and steals sensitive data.
The attack worked by registering the domain xn--brav-yva[.]com, an encoded string that uses what’s known as punycode to represent bravė[.]com, a name that when displayed in browser address bars is confusingly similar to brave.com, where people download the Brave browser. Bravė[.]com (note the accent over the letter E) was almost a perfect replica of brave.com, with one crucial exception: the “Download Brave” button grabbed a file that installed malware known both as ArechClient and SectopRat.
From Google to malware in 10 seconds flat
To drive traffic to the fake site, the scammers bought ads on Google that were displayed when people searched for things involving browsers. The ads looked benign enough. As the images below show, the domain shown for one ad was mckelveytees.com, a site that sells apparel for professionals.
But when people clicked on one of the ads, it directed them through several intermediary domains until they finally landed on bravė[.]com. Jonathan Sampson, a web developer who works on Brave, said that the file available for download there was an ISO image that was 303MB in size. Inside was a single executable.
VirusTotal immediately showed a handful of antimalware engines detecting the ISO and EXE. At the time this post went live, the ISO image had eight detections and the EXE had 16.
The malware detected goes under several names, including ArechClient and SectopRat. A 2019 analysis from security firm G Data found that it was a remote access trojan that was capable of streaming a user’s current desktop or creating a second invisible desktop that attackers could use to browse the Internet.
In a follow-on analysis published in February, G Data said the malware had been updated to add new features and capabilities, including encrypted communications with attacker-controlled command and control servers. A separate analysis found it had “capabilities like connecting to C2 Server, Profiling the System, Steal Browser History From Browsers like Chrome and Firefox.”
As shown in this passive DNS search from DNSDB Scout, the IP address that hosted the fake Brave site has been hosting other suspicious punycode domains, including xn--ldgr-xvaj.com, xn--sgnal-m3a.com, xn--teleram-ncb.com, and xn--brav-8va.com. Those translate into lędgėr.com, sīgnal.com teleģram.com, and bravę.com, respectively. All of the domains were registered through NameCheap.
An old attack that’s still in its prime
Martijn Grooten, head of threat intel research at security firm Silent Push, got to wondering if the attacker behind this scam had been hosting other lookalike sites on other IPs. Using a Silent Push product, he searched for other punycode domains registered through NameCheap and using the same web host. He hit on seven additional sites that were also suspicious.
The results, including the punycode and translated domain, are:
Google removed the malicious ads once Brave brought them to the company’s attention. NameCheap took down the malicious domains after receiving a notification.
One of the things that’s so fiendish about these attacks is just how hard they are to detect. Because the attacker has complete control over the punycode domain, the impostor site will have a valid TLS certificate. When that domain hosts an exact replica of the spoofed website, even security-aware people can be fooled.
Sadly, there are no clear ways to avoid these threats other than by taking a few extra seconds to inspect the URL as it appears in the address bar. Attacks using punycode-based domains are nothing new. This week’s impersonation of Brave.com suggests they aren’t going out of vogue any time soon.