CyberWire Daily - Riding the hype for new Arc browser. [Rsearch Saturday]
Episode Date: June 8, 2024Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes, is discussing their work on "Threat actors ride the hype for newly released Arc browser." The Arc browser, newly released for W...indows, has quickly garnered positive reviews but has also attracted cybercriminals who are using deceptive Google search ads to distribute malware disguised as the browser. These malicious campaigns exploit the hype around Arc, using techniques like embedding malware in image files and utilizing the MEGA cloud platform for command and control, highlighting the need for caution with sponsored search results and the effectiveness of Endpoint Detection and Response (EDR) systems. The research can be found here: Threat actors ride the hype for newly released Arc browser Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
I'm keeping my eye on, in particular, what's trending through Google searches.
Google searches. And I noticed, I actually had not heard of the ARC browser before, although I know it's been available for the Mac for almost a year, I think. So this is kind of how I came
across it. And I thought it was interesting to see that threat actors were hijacking that brand pretty quickly.
That's Jerome Segura, Senior Director of Threat Intelligence at Malwarebytes.
The research we're discussing today is titled
Threat Actors Ride the Hype for Newly Released Arc Browser.
Well, I mean, let's walk through it here together.
I mean, suppose I'm a Windows user and I decide that the Arc browser is something that I want to check out.
And I go online to search for it.
What might happen?
So, yeah, most people are going to look, do a search, probably in Google, being the most popular search engine.
So you go to Google, you search for ArcBrowser,
and depending on your location
and other factors, you may or may not see one
or multiple ads. But in this case,
I was able to reproduce this attack time and time again.
So I think it was pretty widespread. So as a user, what you'll see is the search results
at the top, you'll see something called sponsored, which means it's an ad. It's a result that was paid for by an advertiser.
And those usually appear before the organic search results.
By organic, we mean those websites that have been crawled and indexed by Google.
So yeah, the ad appears at the top.
And the ad could be from any advertiser out there.
It could, you know, most of the time we see...
Actually, it's funny because a lot of the time when, you know,
users will do a search for a browser,
they'll see a competitor in an ad.
So if you go to Bing, for example,
you search for Chrome, you're going to see an ad for Edge. And if you go to Google, you search for a browser other than Chrome,
you might see an ad for Chrome. But in this case, so you look for the Arc browser and
the ad that was shown, and there are several variations of that ad, looked entirely legitimate.
By that, I mean, you're looking at a couple of indicators.
One is the logo.
So the logo in the ad actually matches the brand for ARK.
And then you look, perhaps the more important one, you look at the URL that's shown
on the ad and it is arc.net, which happens to be the official website for Arc browser.
Wow. All right. So I see this ad and I'm trying to be careful. So I'm checking for that URL and
that seems legit to me. And I think to myself, okay, well, this is it. I click through.
What happens next? So when you click on the ad, the majority of users will not see what happens
behind the scenes, but what's happening is a series of redirects. So the click on the ad URL itself will send you to another URL that will check for a few
things.
Most of the time what we see is threat actors like legitimate advertisers will use click
tracking services.
So these are marketing tools that, you know, the goal is to collect analytics on clicks, but also to make sure
that the clicks are from real people.
So anything like a bot or a crawler will be discarded.
So the bad actors will use those, you know, generally to actually avoid crawlers like
Google, which is kind of smart.
to actually avoid crawlers like Google, which is kind of smart.
But if you are a legitimate user, it proceeds with the chain of redirects.
And eventually, what you see on your screen is the homepage for Arc,
which is pretty much a replica of the official one.
In this case, the domain name was different, though. So if you did pay attention to your URL in the browser,
you will see a very small difference in the domain name.
But it's subtle enough that you may actually not notice it.
This is a type of attack that we would call typosquatting.
So you change a letter in the domain name,
or maybe if it contains an I, you use an L,
something that looks similar.
And so, yeah, you have that page,
and you have the big download button,
and that's where most people are going to click on
to install what they think is the Arc browser,
but it's actually not.
Well, and looking through your research here, I mean, these typo
squatted pages, I mean, they look like the real thing. There's nothing that
jumps out at me that there'd be anything amiss here.
Exactly. And, you know, I think it's
attackers have been creative over the years.
I've seen attacks that were really clever, actually,
where they use something we call international domain names.
So think about the fonts that you can use,
and certain fonts for different alphabets have special characters.
And so an A from the, you know,
Latin alphabet or English alphabet is an A,
but maybe in Cyrillic,
an A with a little dot on it
has a different meaning,
but visually will look the same.
So they can use certain things like that,
which again makes it very difficult
for users to spot.
And I think also one piece of advice
that has been given over the years,
over and over again,
which I think we need to kind of debunk now,
is that if there is a padlock or if it's HTTPS,
that means it's secure.
Well, the site is secure, all right.
I mean, the connection is secure,
but you are on a malicious site.
So it's malicious and secure at the same time. But it has nothing to do with the site being legitimate or not.
Right.
Everything between you and the bad guys is properly encrypted.
Exactly.
Yeah.
So I go ahead and I click this download button.
Where does that leave me next?
So it will download an installer on your machine
in a balance folder.
You know, the installer, people will run the installer.
It has a nice little trick where it will actually retrieve
the real installer from Arc browser
while also loading malicious code.
So the victim actually will get the impression
that they are installing the proper program,
but there is something more nefarious
that's happening in the background.
And you're not really seeing anything.
It's very well done.
And it happens, the payload will be downloaded from a remote website.
And then I describe in the research a bit more information about the payload.
And I've actually seen a few variations as well.
But it's a payload that is very similar to what we've seen for a long time,
which is a type of stealer.
So something that will rob all your credentials,
anything that's on your machine,
like cookies from your browsers and things like that.
How stealthy are they trying to be here?
When they're loading the legit browser,
but then also their own info stealer behind the scenes,
are they being intentional about trying to avoid things like antivirus?
Yeah, they usually are.
And I think the way that Installer itself,
what we've seen time and time again
is they use digital signatures.
So they sign the file
with a legitimate
or rather a valid signature
from one of the certification authorities,
which means that
the file will be trusted
by the operating system.
It doesn't mean that the file is clean.
It's just because it has a certificate, it is trusted.
And unfortunately, it's not that hard for malicious actors
to sign their malware binaries with certificates.
They can do that either by stealing the account of a legitimate developer or simply
creating a new account with a fake identity and then signing those files. So the chances of the
file being undetected are pretty high, especially when the attack has just happened, you know, in the next
few hours. And then what we see typically is at some point, security products will start, you know,
picking up the detection. But by then, you know, probably hundreds of people have already been
infected. We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1 thousand dollars off.
Help me understand an element of this here. Going back to the initial ad that runs on Google, the fact that that ad has
the actual URL for the legitimate ARC web browser, is that just a matter that the bad guys can put
in whatever they want into that particular field? Yes, that's actually, for me, it's one of the most interesting things and perhaps one
area where Google could do better.
And I've researched it a little bit.
How is this possible?
Researched it to the point where I tried to reproduce it myself.
Essentially, you create an account with your AdSense, Google AdSense,
and then there's a couple of fields that you have to fill in. One of them is what they call the
display URL. So the display URL is what you see on the ad. And that display URL can be anything.
But there is a condition where if you're going to use a
display URL, so for example, here, arc.net, what Google calls the final URL, which is what happens
after you click on the ad, they must match, they must have the same domain.
Although Google will not allow you to do that. So based on that, you're like, okay,
how, if I want to impersonate a brand,
I have to use the same final URL
as the one that's displayed to users.
So how can I reroute traffic
in a way that Google will not see?
in a way that Google will not see.
And there is yet another feature part of Google Ads,
which is called a tracking template.
And this is what I was mentioning earlier.
It's essentially marketing analytics.
So you are allowed to use tracking templates where right after somebody clicks on the ad,
they will be redirected to that service.
And there are dozens and dozens of companies
that provide this kind of service.
And the majority of these companies are legitimate.
They just provide you click data,
where your users are from.
They're able to detect bot traffic, VPNs, things like that.
So it's a legit service. But there is a feature in that service that allows you to then choose
where you're sending users next.
And that's where the malicious action happens, is threat actors essentially
will point the analytics URL to another domain, that domain they control. And usually they're
smart enough not to make that domain malicious yet. It's just a sort of intermediary. But they control that domain.
Both Google and
the tracking analytics service,
actually, Google has already
lost visibility. The tracking service
only sees that next
domain. And then what happens
is the attacker from that domain
can then
place another redirect,
which this time will be to their malicious webpage.
So I know it's hard to describe it with words,
but essentially, to kind of summarize it,
when you click on the ad,
you will never reach your final destination.
You will never reach the legitimate website
thanks to a tracking template
that is able to reroute traffic. And Google actually supports this as a full feature,
and it's being abused extensively. And I think that's a huge problem. And for me,
the biggest problem, I guess, is because of this feature, anybody, including myself,
you can create an ad for a brand or popular brand
and get away with it,
even though you don't actually own the brand.
And that's just, you know, for users,
that's just really, really misleading.
You know, if the ad was for same ARC browser ad,
but had a completely different
URL that was not the legitimate website, I would say, okay, Google let an ad slip through.
That was malicious. But at least the URL the users see is not the official one. But in
all these cases, it is the official URL. So really, there is no chance for users to not fall for it.
Wow. It's really frustrating, isn't it? I mean, it makes me wonder how much of this kind of falls on
Google's responsibility here to do a better job. And I know, you know, a company of their size will
say, well, this is hard to handle at scale. And I get that,
but then maybe you shouldn't do this at scale, right?
Well, yeah, I think, you know,
I've reported hundreds of malicious ads
over the past few years.
And I guess the thing that I'm always surprised is how,
and it's not just me,
I think it's really anybody,
could, if you know what you're looking for, you could just go out there, do a search,
and have a very high chance of finding a malicious ad.
In fact, somebody earlier was messaging me about an application thinking,
about an application thinking,
I think they were seeing some of their customers that had downloaded a malicious installer
for that application,
and they believed that it was from an ad.
And I looked at the name of the application,
which actually was a new one for me.
I went on Google.
I did a search.
The first search, the first try,
top result, sponsored malicious ad.
So that to me, if it's that easy to find
and Google is not identifying those,
we have a problem.
Yeah.
Right?
Sure.
Yeah.
Well, what are your recommendations here?
I mean, let's suppose I'm somebody who's leading an organization when it comes to security.
How do I put the word out to the folks in my organization to best protect themselves against this sort of thing?
Well, there's different mitigation strategies you can do.
I think one of them is looking at the behavior for your users.
Do you really want your users to be googling software to download on their work machines?
Probably not.
Not just because of potential malicious ads, but also there's other dangers.
There's a lot of sites that rank high in search results page using things like SEO poisoning attacks.
And there's a bunch of affiliates and other, there's just so many potential dangerous avenues to go through that way.
So my recommendation is that you provide your users a safe repository of the apps that they will need.
So things like Zoom, WebEx, look at your risk surface.
I guess the level of risk with malicious ads, you know, in general, not just related to software downloads.
Is there a way that you can mitigate those?
Is there a way that you can mitigate those?
So for home users, typically we think of, we have ad blockers, things like browser extensions that we can use.
In the enterprise world, it's a little bit different.
I don't think the adoption of ad blockers is the same.
And it may not be the ideal solution either
because you're trusting an extension
that could be compromised.
So if you're running a large network of endpoints,
you may not want to install just any extension.
So there are other solutions that you can do.
For example, use DNS filtering.
That also has the benefit of not having to install anything
in the browser on each endpoint.
And I think that's
a pretty powerful solution
because most companies
already have some kind of DNS
filtering. If you add
domains that are
serving ads, whether it's
Google or Bing or
what have you, you can really cut on a number of attacks doing that blocking just through network traffic.
Our thanks to Jerome Segura, Senior Director of Threat Intelligence at Malwarebytes, for joining us.
The research is titled Threat Actors Ride the Hype for Newly Released ARK Browser.
We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io. And that's Research Saturday brought to you by N2K Cyberwire.
Our thanks to Jerome Segura from Malwarebytes for joining us.
The research is titled Threat Actors Ride the Hype for Newly Released ARK Browser.
We'll have a link in the show notes.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like the show, please share a rating and review in your podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. We're privileged
that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in
the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence
and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment,
your people. We make you you back here next time. Simone Petrella is our president, Peter Kilby is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next time. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.