viralamo

Menu
  • Technology
  • Science
  • Money
  • Culturs
  • Trending
  • Video

Subscribe To Our Website To Receive The Last Stories

Join Us Now For Free
Home
Technology
With help from Google, impersonated Brave.com website pushes malware
Technology

With help from Google, impersonated Brave.com website pushes malware

31/07/2021

With help from Google, impersonated Brave.com website pushes malware

Scammers have been caught using a clever sleight of hand to impersonate the website for the Brave browser and using it in Google ads to push malware that takes control of browsers and steals sensitive data.

The attack worked by registering the domain xn--brav-yva[.]com, an encoded string that uses what’s known as punycode to represent bravė[.]com, a name that when displayed in browsers address bars is confusingly similar to brave.com, where people download the Brave browser. Bravė[.]com (note the accent over the letter E) was almost a perfect replica of brave.com, with one crucial exception: the “Download Brave” button grabbed a file that installed malware known both as ArechClient and SectopRat.

From Google to malware in 10 seconds flat

To drive traffic to the fake site, the scammers bought ads on Google that were displayed when people searched for things involving browsers. The ads looked benign enough. As the images below show, the domain shown for one ad was mckelveytees.com, a site that sells apparel for professionals.

But when people clicked on one of the ads, it directed them through several intermediary domains until they finally landed on bravė[.]com. Jonathan Sampson, a web developer who works on Brave, said that the file available for download there was an ISO image that was 303MB in size. Inside was a single executable.

VirusTotal immediately showed a handful of antimalware engines detecting the ISO and EXE. At the time this post went live, the ISO image had eight detections and the EXE had 16.

Advertisement

The malware detected goes under several names, including ArechClient and SectopRat. A 2019 analysis from security firm G Data found that it was a remote access trojan that was capable of streaming a user’s current desktop or creating a second invisible desktop that attackers could use to browse the Internet.

In a follow-on analysis published in February, G Data said the malware had been updated to add new features and capabilities, including encrypted communications with attacker-controlled command and control servers. A separate analysis found it had “capabilities like connecting to C2 Server, Profiling the System, Steal Browser History From Browsers like Chrome and Firefox.”

As shown in this passive DNS search from DNSDB Scout, the IP address that hosted the fake Brave site has been hosting other suspicious punycode domains, including xn--ldgr-xvaj.com, xn--sgnal-m3a.com, xn--teleram-ncb.com, and xn--brav-8va.com. Those translate into lędgėr.com, sīgnal.com teleģram.com, and bravę.com, respectively. All of the domains were registered through NameCheap.

An old attack that’s still in its prime

Martijn Grooten, head of threat intel research at security firm Silent Push, got to wondering if the attacker behind this scam had been hosting other lookalike sites on other IPs. Using a Silent Push product, he searched for other punycode domains registered through NameCheap and using the same web host. He hit on seven additional sites that were also suspicious.

The results, including the punycode and translated domain, are:

  • xn--screncast-ehb.com—screēncast.com
  • xn--flghtsimulator-mdc.com—flīghtsimulator.com.
  • xn--brav-eva.com—bravē.com
  • xn--xodus-hza.com—ēxodus.com
  • xn--tradingvew-8sb.com—tradingvīew.com
  • xn--torbrwser-zxb.com—torbrōwser.com
  • xn--tlegram-w7a.com—tēlegram.com

Google removed the malicious ads once Brave brought them to the company’s attention. NameCheap took down the malicious domains after receiving a notification.

One of the things that’s so fiendish about these attacks is just how hard they are to detect. Because the attacker has complete control over the punycode domain, the impostor site will have a valid TLS certificate. When that domain hosts an exact replica of the spoofed website, even security-aware people can be fooled.

Sadly, there are no clear ways to avoid these threats other than by taking a few extra seconds to inspect the URL as it appears in the address bar. Attacks using punycode-based domains are nothing new. This week’s impersonation of Brave.com suggests they aren’t going out of vogue anytime soon.

Source link

Share
Tweet
Pinterest
Linkedin
Stumble
Google+
Email
Prev Article
Next Article

Related Articles

Google Meet gets Gmail integration, will soon display up to 16 video call participants
(Reuters) — Google will allow business and education users on …

Google Meet gets Gmail integration, will soon display up to 16 video call participants

Covert channel in Apple’s M1 is mostly harmless, but it sure is interesting
Apple’s new M1 CPU has a flaw that creates a …

Covert channel in Apple’s M1 is mostly harmless, but it sure is interesting

Leave a Reply Cancel reply

Find us on Facebook

Related Posts

  • How Tonic Games Group learned resiliency in the volatile dev business
    How Thatgamecompany uses data to build long-term …
    20/07/2020
  • WildWorks’ Animal Jam online playground hits 130 million registered players after a decade
    WildWorks’ Animal Jam online playground hits 130 …
    12/09/2020
  • Fast & Furious: Crossroads lives video games a quarter-mile at a time
    Samasource CEO Leila Janah passes away at …
    25/01/2020
  • The DeanBeat: Why politics and games go together
    The DeanBeat: Why politics and games go …
    31/10/2020
  • Logitech will donate sales of Pixel gaming mouse to gamer charities
    Logitech will donate sales of Pixel gaming …
    04/12/2019

Popular Posts

  • Microsoft fends off record-breaking 3.47 Tbps DDoS attack
    Pro-Russia threat group Killnet is pummeling Lithuania …
    27/06/2022 0
  • 10 Eerie Real-Life Paranormal Encounters to Creep …
    29/05/2022 0
  • The mystery of China’s sudden warnings about US hackers
    The mystery of China’s sudden warnings about …
    29/05/2022 0
  • 10 Huge Problems Animals Should Have But …
    30/05/2022 0
  • 10 U.S. Towns with Terrifying Local Legends …
    30/05/2022 0

viralamo

Pages

  • Contact Us
  • Privacy Policy
Copyright © 2022 viralamo
Theme by MyThemeShop.com

Ad Blocker Detected

Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker.

Refresh