The results, including the punycode and translated domain, are: He hit on seven additional sites that were also suspicious. Using a Silent Push product, he searched for other punycode domains registered through NameCheap and using the same web host. Martijn Grooten, head of threat intel research at security firm Silent Push, got to wondering if the attacker behind this scam had been hosting other lookalike sites on other IPs.
All of the domains were registered through NameCheap.Įnlarge An old attack that’s still in its prime Those translate into lędgėr.com, sī teleģram.com, and bravę.com, respectively. A separate analysis found it had “capabilities like connecting to C2 Server, Profiling the System, Steal Browser History From Browsers like Chrome and Firefox.”Īs shown in this passive DNS search from DNSDB Scout, the IP address that hosted the fake Brave site has been hosting other suspicious punycode domains, including, ,, and. In a follow-on analysis published in February, G Data said the malware had been updated to add new features and capabilities, including encrypted communications with attacker-controlled command and control servers. A 2019 analysis from security firm G Data found that it was a remote access trojan that was capable of streaming a user’s current desktop or creating a second invisible desktop that attackers could use to browse the Internet. The malware detected goes under several names, including ArechClient and SectopRat.
0 kommentar(er)
