Cyber criminals have been caught posing as privacy-focused browser site Brave to infect unsuspecting users with malware. As reported by Ars Technica, cybercriminals after the attack registered for the first time the domain xn - brav-yvacom which uses punycode to represent bravėcom. Aside from the emphasis on the 'e', this place has a domain that looks pretty much like the Brave site (bravecom). Users who visited the fake site would find it quite difficult to tell the difference between the 2 sites, as the cybercriminals mimicked both the look and feel of the legitimate Brave site. The only real difference is that the moment a user clicks the "Download Brave" button, malware called ArechClient and SectopRat is downloaded instead of the browser. To help drive traffic to their fake site, the cybercriminals acquired ads on Google that were displayed when users searched for browsers. Although the ads themselves did not appear dangerous, they were from the mckelveyteescom domain instead of valientecom. Clicking on any of these ads would send users to multiple different domains before ultimately arriving at bravėcom.
Punycode domains
According to Jonathan Sampson, who works as a web developer at Brave, the fake sites tricked users into downloading a XNUMXMB ISO image containing a single executable. While the malware pushed by bravėcom is known as ArechClient and SectopRat, an analysis by cybersecurity company G Data in XNUMX found it to be a Remote Access Trojan (RAT) capable of proliferating a user's current desktop and to create a second invisible desktop that attackers could use. However, since its release, the cybercriminals behind the malware have added new features, including encrypted communications with C&C servers, such as the ability to steal a user's browser history from Google Chrome and Mozilla Firefox. Martijin Gooten, head of threat intelligence research at cybersecurity firm Silent Push, conducted his investigation to see if the cybercriminals behind this campaign had registered other like-minded sites to launch new attacks. He then searched other punycode domains registered through domain registrar NameCheap to find that fake sites had been registered for Tor Browser, Telegram and other popular services. To avoid falling victim to this campaign and other related attacks, users should carefully inspect the web addresses of each and every site they visit in their browser's address bar. Although this can be boring, today it is the only way to easily alert related sites that can be used to spread malware and other viruses. Via Ars Technica