Google Shuts Down Malicious Ad Distributing Brave Browser Infected With RAT

Google Shuts Down Malicious Ad Distributing Brave Browser Infected With RAT

Google has blocked an ad for a website that tried to trick users into installing a fake version of the Brave browser. The malicious website was delivering ArechClient Remote Access Trojan (SectopRAT).

Google said it has taken down the ad for the website spreading the virus.

The cleverly disguised ad targeted Internet users who were searching on Google to download Brave browser. The ad redirected the users to a malicious site which tricked them into downloading a fake version of the installer.

The website was hosted at a domain name that had “Brave” spelled with the letter ė (with a dot on top) instead of a regular Latin letter e: bravė.com

After clicking on the site, the victims were greeted by an image that claimed to contain the Brave installer.

Bart Blaze, a security researcher, discovered that besides Brave, the installer included a version of the ArechClient malware, which can be used to install arbitrary software.

The main purpose of the malware is to steal data from crypto-wallets and browsers, the security researcher said to the Record.

It included several anti-VM and anti-emulator capabilities that were designed to prevent security solutions from detecting it.

Once installed, the malware tries to steal cryptocurrency from users by tricking them into changing the passwords – thus stealing them – and advising to transfer funds to new addresses.

We have robust policies prohibiting ads that attempt to circumvent our enforcement by disguising the advertiser’s identity and impersonating other brands. In this case, we immediately removed the ad and suspended the advertiser account,” Google reportedly said.

After news of the attack spread, Namecheap, the registrar of bravė.com, took down the domain used by the attackers.

This type of threats – called IDN homograph attacks – occurs when a threat actor registers a domain with internationally wrong characters that are similar to the Latin alphabet and has been happening for more than a decade since internationalized glyphs were approved for use in domain names.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.