Threat actors used Google Ads to buy top slots on Google search engine to advertise fake Brave browser websites which delivered malware as the browser’s download file.
According to one of the Brave browser’s developers Jonathan Sampson, a fake Brave browser website was featured at the top of Google search results after threat actors exploited Google ads to spread data-stealing malware.
The threat actors tried to spread malware to visitors by registering a domain xn--brav-yvacom. This domain used Punycode to denote brave browser as bravėcom.
The site had an accent over the letter ‘e,’ which was the only dissimilarity, while the rest of the domain was eerily similar to Brave’s original website. Therefore, users of the fake website had difficulty distinguishing between the two sites as both appeared legitimate Brave sites.
Fake Brave Website Delivering Malware
When a user clicked on the Download Brave tab, malware known as SectopRat (aka 1xxbot, Asatafar, or ArechClient) got downloaded on their device instead of the browser.
According to cybersecurity firm G Data, which discovered the malware back in 2019, SectopRat could stream a user’s existing desktop and create another invisible desktop for the attackers to use.
Since the malware’s release, its developers have added many new features, such as encrypted communications with C2 servers and stealing browser history from Firefox and Chrome.
How fake Brave browser site topped Google search results?
According to Ars Technica’s report, to drive traffic to this fake version of the Brave website, threat actors bought ads on Google, which appeared when users searched for browser downloads. The ads weren’t dangerous on their own.
However, they came from mckelveyteescom and not from bravecom and have a valid TLS certificate. If a user clicked on any of these ads, they redirected them to different domains before landing them on the fake Brave website.
About Punycode Domains
Brave browser’s Sampson revealed that the fake websites lured users to download a 303MB ISO image containing just one executable.
On the other hand, Silent Push cybersecurity firm’s Martijn Gooten investigated the matter to check whether the threat actors behind this campaign registered other fake sites and Punycode domains for future use and discovered that fake sites were registered for Telegram, Tor browser, and other popular platforms.
Nevertheless, the only way to prevent yourself from falling victim to this trap is to inspect the web addresses of any and every site you use carefully. This is indeed taxing, but it’s the only legit way to detect fake websites that may download malware on your device.