With help from Google, impersonated Brave.com website pushes malware

With a valid TLS certificate, faux Bravė.com could fool even security-savvy people.

Dan Goodin – Jul 31, 2021 11:46 am | 264

From Google to malware in 10 seconds flat

To drive traffic to the fake site, the scammers bought ads on Google that were displayed when people searched for things involving browsers. The ads looked benign enough. As the images below show, the domain shown for one ad was mckelveytees.com, a site that sells apparel for professionals.

But when people clicked on one of the ads, it directed them through several intermediary domains until they finally landed on bravė[.]com. Jonathan Sampson, a web developer who works on Brave, said that the file available for download there was an ISO image that was 303MB in size. Inside was a single executable.

VirusTotal immediately showed a handful of antimalware engines detecting the ISO and EXE. At the time this post went live, the ISO image had eight detections and the EXE had 16.

The malware detected goes under several names, including ArechClient and SectopRat. A 2019 analysis from security firm G Data found that it was a remote access trojan that was capable of streaming a user’s current desktop or creating a second invisible desktop that attackers could use to browse the Internet.

In a follow-on analysis published in February, G Data said the malware had been updated to add new features and capabilities, including encrypted communications with attacker-controlled command and control servers. A separate analysis found it had “capabilities like connecting to C2 Server, Profiling the System, Steal Browser History From Browsers like Chrome and Firefox.”

As shown in this passive DNS search from DNSDB Scout, the IP address that hosted the fake Brave site has been hosting other suspicious punycode domains, including xn--ldgr-xvaj.com, xn--sgnal-m3a.com, xn--teleram-ncb.com, and xn--brav-8va.com. Those translate into lędgėr.com, sīgnal.com teleģram.com, and bravę.com, respectively. All of the domains were registered through NameCheap.

An old attack that’s still in its prime

Martijn Grooten, head of threat intel research at security firm Silent Push, got to wondering if the attacker behind this scam had been hosting other lookalike sites on other IPs. Using a Silent Push product, he searched for other punycode domains registered through NameCheap and using the same web host. He hit on seven additional sites that were also suspicious.

The results, including the punycode and translated domain, are:

xn--screncast-ehb.com—screēncast.com
xn--flghtsimulator-mdc.com—flīghtsimulator.com.
xn--brav-eva.com—bravē.com
xn--xodus-hza.com—ēxodus.com
xn--tradingvew-8sb.com—tradingvīew.com
xn--torbrwser-zxb.com—torbrōwser.com
xn--tlegram-w7a.com—tēlegram.com

Google removed the malicious ads once Brave brought them to the company’s attention. NameCheap took down the malicious domains after receiving a notification.

One of the things that’s so fiendish about these attacks is just how hard they are to detect. Because the attacker has complete control over the punycode domain, the impostor site will have a valid TLS certificate. When that domain hosts an exact replica of the spoofed website, even security-aware people can be fooled.

Sadly, there are no clear ways to avoid these threats other than by taking a few extra seconds to inspect the URL as it appears in the address bar. Attacks using punycode-based domains are nothing new. This week’s impersonation of Brave.com suggests they aren’t going out of vogue any time soon.