Arc web browser targeted by a malvertising campaign

A new Google Ads malvertising campaign has targeted the newly released Arc web browser for Windows. Based on reports, this campaign tricks customers into downloading trojanised installers that could deploy malware payloads.

The Arc browser is a new web browser with an unconventional user interface design that clearly distinguishes it from previous browsers. This new search engine was released in July 2023 for macOS and received positive reviews from tech press and users, making its Windows release an anticipated event.

 

Cybercriminals have seen an opportunity on the Arc web browser launch.

 

According to investigations, fraudsters and scammers prepared for the Arc web browser launch by creating malicious advertising on Google Search to entice people to download the new browser.

Researchers explained that Google’s ad infrastructure has a flaw that allows threat actors to remove advertising with legal URLs. The research showed that the actors used boosted results for the search phrases “arc installer” and “arc browser windows” that displayed the correct URL for Arc. However, after clicking the advertising, the links will redirect the searchers to typo-squatted domains that seem like the original website.

Once a user presses the “download” button, a trojanised installer file is downloaded from the MEGA hosting platform, which then downloads an extra malicious payload called bootstrap.exe from an external location.

These campaigns misuse the MEGA API C2 operations, such as sending and receiving operational commands and data. The installation file retrieves a PNG file containing malicious code that compiles and drops the final payload, ‘JRWeb.exe,’ into the victim’s network.

Furthermore, the researchers discovered a second infection chain in which the installer uses a Python executable to inject code into msbuild.exe, which then requests an external site for commands to execute. The analysts claim that the final payload in these attacks is an infostealer, but they still need to acquire additional evidence to verify their suspicion.

Threat actors capitalise on the anticipation surrounding the new software, which is not a new tactic but remains efficient for spreading malware. Therefore, users who want to download newly released software should avoid any promoted Google Search results, use ad blockers to hide them, and save the official project websites for future reference to prevent installing a fake and malicious product.

Users should verify the legitimacy of the domains from which they intend to download installers and scan downloaded files with an up-to-date AV solution before using them.