Impersonated Brave.com website pushes malware

silversurfer

Level 75
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,423
Scammers have been caught using a clever sleight of hand to impersonate the website for the Brave browser and using it in Google ads to push malware that takes control of browsers and steals sensitive data.

The attack worked by registering the domain xn--brav-yva[.]com, an encoded string that uses what’s known as punycode to represent bravė[.]com, a name that when displayed in browsers address bars is confusingly similar to brave.com, where people download the Brave browser. Bravė[.]com (note the accent over the letter E) was almost a perfect replica of brave.com, with one crucial exception: the “Download Brave” button grabbed a file that installed malware known both as ArechClient and SectopRat.
fake-brave-site.jpg

From Google to malware in 10 seconds flat​

To drive traffic to the fake site, the scammers bought ads on Google that were displayed when people searched for things involving browsers. The ads looked benign enough. As the images below show, the domain shown for one ad was mckelveytees.com, a site that sells apparel for professionals.



But when people clicked on one of the ads, it directed them through several intermediary domains until they finally landed on bravė[.]com. Jonathan Sampson, a web developer who works on Brave, said that the file available for download there was an ISO image that was 303MB in size. Inside was a single executable.

VirusTotal immediately showed a handful of antimalware engines detecting the ISO and EXE. At the time this post went live, the ISO image had eight detections and the EXE had 16.

An old attack that’s still in its prime​

Martijn Grooten, head of threat intel research at security firm Silent Push, got to wondering if the attacker behind this scam had been hosting other lookalike sites on other IPs. Using a Silent Push product, he searched for other punycode domains registered through NameCheap and using the same web host. He hit on seven additional sites that were also suspicious.

The results, including the punycode and translated domain, are:
  • xn--screncast-ehb.com—screēncast.com
  • xn--flghtsimulator-mdc.com—flīghtsimulator.com.
  • xn--brav-eva.com—bravē.com
  • xn--xodus-hza.com—ēxodus.com
  • xn--tradingvew-8sb.com—tradingvīew.com
  • xn--torbrwser-zxb.com—torbrōwser.com
  • xn--tlegram-w7a.com—tēlegram.com
Google removed the malicious ads once Brave brought them to the company’s attention. NameCheap took down the malicious domains after receiving a notification.

One of the things that’s so fiendish about these attacks is just how hard they are to detect. Because the attacker has complete control over the punycode domain, the impostor site will have a valid TLS certificate. When that domain hosts an exact replica of the spoofed website, even security-aware people can be fooled.

Sadly, there are no clear ways to avoid these threats other than by taking a few extra seconds to inspect the URL as it appears in the address bar. Attacks using punycode-based domains are nothing new. This week’s impersonation of Brave.com suggests they aren’t going out of vogue anytime soon.
 
Top