Google has blocked an ad for a website that tried to trick users into installing a fake version of the Brave browser. The malicious website was delivering ArechClient Remote Access Trojan (SectopRAT).
Google said it has taken down the ad for the website spreading the virus.
The cleverly disguised ad targeted Internet users who were searching on Google to download Brave browser. The ad redirected the users to a malicious site which tricked them into downloading a fake version of the installer.
The website was hosted at a domain name that had “Brave” spelled with the letter ė (with a dot on top) instead of a regular Latin letter e: bravė.com
After clicking on the site, the victims were greeted by an image that claimed to contain the Brave installer.
Bart Blaze, a security researcher, discovered that besides Brave, the installer included a version of the ArechClient malware, which can be used to install arbitrary software.
The main purpose of the malware is to steal data from crypto-wallets and browsers, the security researcher said to the Record.
It included several anti-VM and anti-emulator capabilities that were designed to prevent security solutions from detecting it.
Once installed, the malware tries to steal cryptocurrency from users by tricking them into changing the passwords – thus stealing them – and advising to transfer funds to new addresses.
“We have robust policies prohibiting ads that attempt to circumvent our enforcement by disguising the advertiser’s identity and impersonating other brands. In this case, we immediately removed the ad and suspended the advertiser account,” Google reportedly said.
After news of the attack spread, Namecheap, the registrar of bravė.com, took down the domain used by the attackers.
This type of threats – called IDN homograph attacks – occurs when a threat actor registers a domain with internationally wrong characters that are similar to the Latin alphabet and has been happening for more than a decade since internationalized glyphs were approved for use in domain names.