Cybercriminals spoof Brave browser website to push malware

Punycode domain and Google ads were used to trick unsuspecting users

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybercriminals have been caught impersonating the website of the privacy-focused browserBravein order to infect unsuspecting users withmalware.

AsreportedbyArs Technica, the cybercriminals behind the attack first registered the domain xn–brav-yva[.]com which uses punycode to represent bravė[.]com. Besides the accent over the ‘e’, this site has adomainwhich appears quite similar to Brave’s own website (brave[.]com).

Users who visited the fake site would have a difficult time differentiating between the two sites as the cybercriminals mimicked both the look and feel of Brave’s legitimate website. The only real difference though is that when a user clicked on the “Download Brave” button, a malware known as both ArechClient and SectopRat would be downloaded instead of thebrowser.

In order to help drive traffic to their fake site, the cybercriminals thenbought ads on Googlethat were shown when users searched for browsers. While the ads themselves didn’t look dangerous, they came from the domain mckelveytees[.]com instead of from brave[.]com. Clicking on one of these ads would send users to several different domains before they eventually landed on bravė[.]com.

Punycode domains

Punycode domains

According to Jonathan Sampson who works as a web developer at Brave, the fake sites prompted users to download a 303MB ISO image that contained a single executable.

While the malware pushed by bravė[.]com is known as both ArechClient and SectopRat, analysis from the cybersecurity firmG Databack in 2019 revealed that it was a remote access trojan (RAT) with the capability to stream a user’s current desktop as well as to create a second invisible desktop that attackers could use. However, since it’s release, the cybercriminals behind the malware have added new features including encrypted communications with C&C servers as well as the ability to steal a user’s browser history from both Chrome and Firefox.

Head of threatintelresearch at the cybersecurity firm Silent Push, Martijin Gooten conducted his own investigation to see if the cybercriminals behind this campaign had registered other lookalike sites to launch further attacks. He then searched for otherpunycode domainsregistered through thedomain registrarNameCheap to discover that fake sites had been registered for the Tor browser, Telegram and other popular services.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

In order to avoid falling victim to this campaign and other similar attacks, users should carefully inspect the web addresses of all of the sites they visit in the address bar of their browsers. While this can be tedious, it’s currently the only way to easily detect lookalike sites that can be used to spread malware and other viruses.

ViaArs Technica

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)