As reported by Ars Technica, the cybercriminals behind the attack first registered the domain xn--brav-yva[.]com which uses punycode to represent bravė[.]com. Besides the accent over the ‘e’, this site has a domain which appears quite similar to Brave’s own website (brave[.]com).
Users who visited the fake site would have a difficult time differentiating between the two sites as the cybercriminals mimicked both the look and feel of Brave’s legitimate website. The only real difference though is that when a user clicked on the “Download Brave” button, a malware known as both ArechClient and SectopRat would be downloaded instead of the browser.
In order to help drive traffic to their fake site, the cybercriminals then bought ads on Google that were shown when users searched for browsers. While the ads themselves didn’t look dangerous, they came from the domain mckelveytees[.]com instead of from brave[.]com. Clicking on one of these ads would send users to several different domains before they eventually landed on bravė[.]com.
According to Jonathan Sampson who works as a web developer at Brave, the fake sites prompted users to download a 303MB ISO image that contained a single executable.
While the malware pushed by bravė[.]com is known as both ArechClient and SectopRat, analysis from the cybersecurity firm G Data back in 2019 revealed that it was a remote access trojan (RAT) with the capability to stream a user’s current desktop as well as to create a second invisible desktop that attackers could use. However, since it’s release, the cybercriminals behind the malware have added new features including encrypted communications with C&C servers as well as the ability to steal a user’s browser history from both Chrome and Firefox.
Head of threat intel research at the cybersecurity firm Silent Push, Martijin Gooten conducted his own investigation to see if the cybercriminals behind this campaign had registered other lookalike sites to launch further attacks. He then searched for other punycode domains registered through the domain registrar NameCheap to discover that fake sites had been registered for the Tor browser, Telegram and other popular services.
In order to avoid falling victim to this campaign and other similar attacks, users should carefully inspect the web addresses of all of the sites they visit in the address bar of their browsers. While this can be tedious, it’s currently the only way to easily detect lookalike sites that can be used to spread malware and other viruses.
Via Ars Technica