Scammers spread malware under the mask of the Brave browser

Google specialists stopped a malicious advertising campaign in which scammers lured users to a fake Brave browser site, where ArechClient (SectopRAT) malware was hiding under the mask of a browser.

To drive traffic to a fake site, scammers bought ads on Google, which were displayed when people searched for something related to browsers.

The researchers say they spotted this cleverly masked ad that redirected visitors to a malicious site. The resource was located at bravė.com, where the word “Brave” was written with the Lithuanian letter “ė” instead of the usual Latin “e”.

Scammers use Punycode to bypass security filters and lull users’ vigilance, and this is not a secret anymore.

Punycode is a standardized method for converting sequences of Unicode characters to ACE sequences, which consist only of alphanumeric characters, as is allowed in domain names.

Punycode was designed to unambiguously convert domain names to a sequence of ASCII characters.

In a modern browser, the malicious domain bravė.com will turn into xn--brav-epa.com, but users can ignore the address bar without noticing the substitution.

Users who visited the fake site found it difficult to distinguish it from the real one because the cybercriminals imitated the look and feel of the legitimate Brave site. The only real difference is that when the user clicks the Download Brave button, malware known as ArechClient and SectopRat is downloaded instead of the browser.according to the journalists of the publication Techradar.

Users were prompted to download a 303MB ISO file, allegedly containing the Brave installer. Oddly enough, the browser was also present in this file, but along with it, ArechClient (SectopRAT) malware was distributed, the main task of which is to steal data from browsers and cryptocurrency wallets.

It is also worth mentioning that after detecting and blocking the attack, the Namecheap registrar, which was used by the attackers, disabled all their domains, including other fraudulent sites, which, for example, masked as official Tor, Signal and Telegram resources (lędgėr.com, sīgnal.com, teleģram.com).

You may also be interested to know that Malware developers increase use of the unusual programming languages.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *