SEE: Hackers use Google Ads to steal $50 million of Bitcoin On the other hand, Silent Push cybersecurity firm’s Martijn Gooten investigated the matter to check whether the threat actors behind this campaign registered other fake sites and Punycode domains for future use and discovered that fake sites were registered for Telegram, Tor browser, and other popular platforms. Image credit: Jonathan Sampson About Punycode Domainsīrave browser’s Sampson revealed that the fake websites lured users to download a 303MB ISO image containing just one executable. If a user clicked on any of these ads, they redirected them to different domains before landing them on the fake Brave website. However, they came from mckelveyteescom and not from bravecom and have a valid TLS certificate. How fake Brave browser site topped Google search results?Īccording to Ars Technica’s report, to drive traffic to this fake version of the Brave website, threat actors bought ads on Google, which appeared when users searched for browser downloads. Since the malware’s release, its developers have added many new features, such as encrypted communications with C2 servers and stealing browser history from Firefox and Chrome. When a user clicked on the Download Brave tab, malware known as SectopRat (aka 1xxbot, Asatafar, or ArechClient) got downloaded on their device instead of the browser.Īccording to cybersecurity firm G Data, which discovered the malware back in 2019, SectopRat could stream a user’s existing desktop and create another invisible desktop for the attackers to use. Image credit: Jonathan Sampson Fake Brave Website Delivering Malware Therefore, users of the fake website had difficulty distinguishing between the two sites as both appeared legitimate Brave sites. The site had an accent over the letter ‘e,’ which was the only dissimilarity, while the rest of the domain was eerily similar to Brave’s original website. This domain used Punycode to denote brave browser as bravėcom. The threat actors tried to spread malware to visitors by registering a domain xn-brav-yvacom. Threat actors used Google Ads to buy top slots on Google search engine to advertise fake Brave browser websites which delivered malware as the browser’s download file.Īccording to one of the Brave browser’s developers Jonathan Sampson, a fake Brave browser website was featured at the top of Google search results after threat actors exploited Google ads to spread data-stealing malware.
0 kommentar(er)
