Google Chrome has been the dominant web browser for years now, which is why it may come as a surprise to hear of a startup, not even based in Silicon Valley, called The Browser Company, offering a new take on the “window to the internet.”
The Arc browser has been available for MacOS since July 2023, but the Windows version was only released two weeks ago.
What’s unique is the hype around Arc and the glowing reviews it has earned in a relatively short period.
Arc Browser Earns Industry Accolades
The Browser Company made a big splash with its new take on the browser.
There is no doubt that the hype plays a big factor in user adoption, but reviews from top publications are also a big driving force.
According to the ThreatDown reports, While the Mac version of the Arc browser was already available, the Windows release was announced just a couple of weeks ago.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
Researchers observed an ad campaign impersonating the Arc browser that looks entirely legitimate with the official logo and website.
A search for “arc installer” or “arc browser windows” resulted in the following two ads being shown: Fake Arc Browser Ad Using Google’s Ad Transparency Center I connected them to the following advertiser from Ukraine.
The threat actor already registered domain names that victims will be redirected to. The template even includes some of the news headlines celebrating the Windows release.
Malware Payload
When you download “Arc for Windows” from these websites, you are downloading malware. In this case, the threat actor used a unique way of packaging their malware that had not seen before.
The main installer (ArcBrowser.exe) is an executable that itself contains two other executables. As part of the decoy, one will retrieve a Windows installer for the legitimate Arc software.
In the background, Arc.exe contacts the cloud platform MEGA via its developer’s API. The threat actor uses MEGA as a command and control server to send and receive data.
The first query authenticates the threat actor (they are using a disposable email address from yopmail):
https://g[.]api[.]mega[.]co[.]nz/cs?id=[][{"a":"us0","user":"vivaldi.dav@yopmail[.]com"}]
It is followed by a series of queries and responses encoded, presumably with the user data.
Next is a request to a remote site to download the next stage payload:
theflyingpeckerheads[.]com/bootstrap.exe
Once that payload is executed, it retrieves a fake PNG image that hides malicious code:
theflyingpeckerheads[.]com/924011449.png
Researchers get yet another payload, dropped to disk as JRWeb.exe. While working on this sample, saw another version of the bootstrap.exe file which did not retrieve a PNG file.
This file was downloaded from the same location, with the same name but had a different size. That second version uses a legitimate Python executable to inject code into MSBuild.exe, just like the previous one.
C:WindowsMicrosoft.NETFrameworkv4.0.30319MSBuild.exe
At that point, the malware will query a paste site to retrieve a malicious IP address (presumably another command and control server):
https://textbin[.]net/raw/it4ooicdbv
The paste was first created in February and has 4.5K views.
The payload is likely dropping an information stealer based on similar previous attacks.
ThreatDown’s customers have already been protected thanks to detecting the malicious bootstrap.exe process.
Some of the best social engineering attacks happen when well-known brands lure users.
Researchers have seen countless cases of brand impersonations via malicious ads targeting different types of victims.
However, online criminals will also leverage newer brands that are trending, and Arc is the perfect example of a new piece of software that many people will be looking to try out.
It is more important than ever to be highly cautious regarding sponsored results.
Oftentimes, there is no easy way to determine whether an ad is legitimate or not.
Criminals can create malicious installers that can evade detection and lead to compromise via a series of steps.
Fortunately, this is also where Endpoint Detection and Response (EDR) can be helpful, as a set of events can be tied to an actual attack.
IOCs:
Decoy sites
ailrc[.]net
aircl[.]net
Malicious Arc installer
ArcBrowser.exe
3e22ed74158db153b5590bfa661b835adb89f28a8f3a814d577958b9225e5ec1
Arc.exe loads the Windows installer for the legitimate Arc Browser via
revomedia[.]com/Arc.appinstaller
Followup payload
theflyingpeckerheads[.]com/bootstrap.exeb8ae9aa480f958312b87877d5d44a9c8eac6a6d06a61ef7c51d4474d39357edb
34f4d749af50678a0bda6f38b0c437de3914a005f0d689aa89769c8c9cb8b264
Bootstrap.exe downloads PNG from
theflyingpeckerheads[.]com/924011449.png
018dba31beac15518027f6788d72c03f9c9b55e0abcd5a96812740bcbc699304
Final payload
JRWeb.exe6c30c8a2e827f48fcfc934dd34fb2cb10acb8747fd11faae085d8ad352c01fbf
C2
185.156.72[.]56
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hacker