With the assistance of Google, the faux web site Courageous.com spreads malware
Scammers have been caught mimicking the website for the Brave browser and using it in Google ads to spread malware that takes control of browsers and steals sensitive data.
The attack worked by registering the domain xn – brav-yva[.]com, an encoded string that uses punycode to denote bravė. to represent[.]com, a name that when it appears in the address bars of browsers is confusingly similar to the Brave browser where people download the Brave browser. Brave[.]com (note the accent above the letter E) was almost a perfect copy of brave.com, with one key exception: the Download Brave button grabbed a file that installed malware known as both ArechClient and SectopRat .
From google to malware in 10 seconds flat
In order to drive traffic to the fake website, the scammers bought ads on Google that were displayed when users searched for things with browsers. The ads looked benign. As the images below show, the domain shown for an ad was mckelveytees.com, a website that sells clothing for professionals.
But when people clicked on one of the ads, they were directed through several intermediate domains until they finally landed on bravė[.]com. Jonathan Sampson, a web developer working on Brave, said the file available for download was an ISO image that was 303MB in size. Inside was a single executable file.
VirusTotal immediately showed a handful of anti-malware engines that detect ISO and EXE. When this post went live, the ISO image had eight detections and the EXE had 16.
The malware discovered has several names, including ArechClient and SectopRat. An analysis by the security company G Data from 2019 revealed that it was a remote access Trojan that was able to stream a user’s current desktop or create a second invisible desktop with the attacker on the Internet could surf.
In a follow-up analysis published in February, G Data said the malware had been updated to add new features and capabilities, including encrypted communication with attacker-controlled command and control servers. A separate analysis found that it had “capabilities like connecting to the C2 server, profiling the system, stealing browsing history from browsers like Chrome and Firefox”.
As demonstrated in this DNSDB Scout passive DNS search, the IP address that the fake Brave site hosted was hosting other suspicious Punycode domains including xn--ldgr-xvaj.com, xn – sgnal-m3a .com, xn-- teleram-ncb.com and xn--brav-8va.com. These are translated into lędgėr.com, sīgnal.com, teleģram.com and bravę.com, respectively. All domains were registered via NameCheap.
An old attack that is still in its prime
Martijn Grooten, Head of Threat Intel Research at the security firm Silent Push, wondered whether the attacker behind this scam had hosted other lookalike sites on other IPs. Using a Silent Push product, he looked for other Punycode domains registered through NameCheap using the same web host. He came across seven other pages that were also suspicious.
The results, including the puny code and translated domain, are:
- xn – screncast-ehb.com — screēncast.com
- xn – brav-eva.com — bravē.com
- xn – xodus-hza.com — ēxodus.com
- xn – tradingvew-8sb.com-tradingvīew.com
- xn – tlegram-w7a.com — tēlegram.com
Google removed the malicious ads when Brave brought them to the company’s attention. NameCheap removed the malicious domains after receiving a notification.
One of the diabolical things about these attacks is how difficult they are to detect. Since the attacker has complete control of the Punycode domain, the scam site has a valid TLS certificate. If this domain hosts an exact copy of the spoofed website, even security-conscious individuals can be fooled.
Unfortunately, there are no clear-cut ways to avoid these threats other than by taking an extra few seconds to review the URL as it appears in the address bar. Attacks with Punycode-based domains are nothing new. Brave.com’s imitation this week suggests they won’t go out of style anytime soon.