Google specialists stopped a malicious advertising campaign in which scammers lured users to a fake Brave browser site. The ArechClient Trojan (SectopRAT) was hiding under the guise of a browser on the site. To drive traffic to a fake site, scammers bought ads on Google, which were displayed when people searched for something related to browsers.
The researchers say they spotted this cleverly disguised ad that redirected visitors to a malicious site. The resource was located at bravė.com, where the word “Brave” was written with the Lithuanian letter “ė” instead of the usual Latin “e”.
Scammers use Punycode to bypass security filters and lull users’ vigilance, and this is no longer a secret. Punycode – a standardized method for converting sequences of Unicode characters to ACE sequences, which consist only of alphanumeric characters, as allowed in domain names. Punycode was designed to unambiguously convert domain names to a sequence of ASCII characters.
In a modern browser, the malicious domain bravė.com will turn into xn--brav-epa.com, but users can ignore the address bar without noticing the substitution.
The site completely imitated the official Brave site, but there users were offered to download ISO file by 303 MB, supposedly containing the Brave installer. Oddly enough, the browser was also present in this file, but malware was distributed along with it. ArechClient (SectopRAT), whose main task is to steal data from browsers and cryptocurrency wallets.
It is also worth mentioning that after detecting and blocking the attack, the Namecheap registrar, which was used by the attackers, disabled all their domains, including other fraudulent sites, which, for example, masqueraded as official Tor, Signal and Telegram resources (lędgėr.com, sīgnal.com, teleģram.com).
since this is getting some attention today, just want to add that Namecheap promptly took down the abusive domains (for Brave, Tor, Signal, etc.) and Google blocked their ads not long after these tweets went out.
thanks twitterverse for keeping people safe 🙂
— Yan (@bcrypt) July 30, 2021