[TheRecord] Google shuts down malicious ad posing as Brave browser but delivering malware

Internet surfers looking to download a copy of the Brave browser were fooled this week by a cleverly disguised ad that redirected them to a malicious website where they infected their systems with malware.

The malicious website was located at bravė.com, where Brave was spelled with a Lithuanian small caps ė (with a dot on top) instead of the normal Latin alphabet e.

Image: @bcrypt/Twitter

Users who landed on the site, which was designed to look like the legitimate Brave portal, downloaded an ISO file claiming to contain the Brave installer.

However, besides installing a copy of the Brave browser, the ISO file also installed a version of the ArechClient (SectopRAT) malware, security researcher Bart Blaze told The Record today, after analyzing the malicious file.

The malware’s primary functionality is to steal data from browsers and crypto-wallets, Blaze said.

It also contained several anti-VM and anti-emulator detection capabilities to prevent researchers and security solutions from detecting its malicious capabilities.

Users who installed this malware are advised to reset web account passwords and transfer cryptocurrency funds to new addresses.

Contacted by email, Google said it has now taken down the malicious ad.

We have robust policies prohibiting ads that attempt to circumvent our enforcement by disguising the advertiser’s identity and impersonating other brands. In this case, we immediately removed the ad and suspended the advertiser account.

Google spokesperson

Furthermore, after news of the attack spread online this week, the fake Brave website also disappeared earlier today, although it remains unclear if the site was taken down by the threat actor or after the domain registrar intervened.

These types of attacks are called IDN homograph attacks and happen when threat actors register domains using international characters that resemble the classic Latin alphabet.

Attacks like the one aimed against Brave users have been happening for more than a decade since internationalized glyphs were approved for use in domain names, and browser makers have responded by spelling these non-standard characters using Punycode.

For example, the malicious bravė.com domain would equate to xn--brav-epa.com when loaded inside a modern browser, but if users didn’t pay attention to the address bar, they would have most likely downloaded the malicious payload.

According to Google’s annual Ads Safety Report, the company saw 968 million ads last year that used various techniques to cloak their intentions to attack users and bypass Google’s advertising policies.

The post Google shuts down malicious ad posing as Brave browser but delivering malware appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[SecurityWeek] Neiman Marcus Confirms Payment Cards Compromised in Data Breach

All posts, Security Week

Luxury retail company Neiman Marcus Group on Thursday confirmed that customer information was indeed stolen in a data breach. During the incident, which occurred in May 2020, hackers were able to exfiltrate information associated with online customer accounts, including payment card data, the company says. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[ESET] IISerpent: Malware‑driven SEO fraud as a service

All posts, ESET feed

The last in our series on IIS threats introduces a malicious IIS extension used to manipulate page rankings for third-party websites The post IISerpent: Malware‑driven SEO fraud as a service appeared first on WeLiveSecurity Source: Read More (WeLiveSecurity)

Read More

[TheRecord] Microsoft says Russia hacked at least 14 IT service providers this year

Microsoft said on Monday that a Russian state-sponsored hacking group known as Nobelium had attacked more than 140 IT and cloud services providers, successfully breaching 14 companies. The Microsoft Threat Intelligence Center (MSTIC) said the attacks were part of a planned campaign that began in May this year. The attacks included spear-phishing campaigns and password-spraying […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.