If you plan to test the Arc browser, be careful, malicious advertising is hanging around on Google

Cybercriminals never miss an opportunity to take advantage of highly anticipated new software launches. That of the browser Bow on Windows was the target of a malicious advertising campaign aimed at pushing Internet users to install a fake program containing a Trojan horse that distributes an infostealer.

Riding on the excitement generated by the arrival of the Arc browser (which we tested for you) for Windows after a successful launch on macOS, hackers have set up a malicious advertising campaign on Google Ads. Their objective ? Deceive Internet users wanting to test this promising new browser by redirecting them to illegitimate sites hosting Trojanized installers instead of the real program.

Despite rave reviews and a warm reception from users of the Mac version, the long-awaited arrival of Arc on Windows has been targeted by cybercriminals. They abused flaws in Google’s advertising platform to deliver seemingly legitimate ads that diverted users to malicious sites when they downloaded them.

Malicious advertising for Arc at the top of sponsored search results on Google

Malwarebytes analysts found that results promoted by Google for the queries “arc installer” and “arc Windows browser” displayed the official Arc URL. However, clicking on these dubious ads redirects to domains impersonating the real site. If the Internet user takes the bait and clicks on “ Download », he ends up with a Trojanized installer retrieved from the MEGA hosting platform.

This fake program then downloads an additional malicious payload named “bootstrap.exe” from an external resource. The MEGA API is then hijacked for command and control operations by hackers, who can then send and receive instructions and data.

The trojanized installer will look for a PNG file containing malicious code that will compile and drop the final payload called “JRWeb.exe” onto the victim’s disk. Another variation uses a Python executable injected into msbuild.exe to retrieve malicious commands from an external site.

Although the exact nature of this latest payload has not yet been determined, Malwarebytes believes it could be an infostealer-style program that loots victims’ personal data. The infection is all the more insidious because the real Arc browser is installed as intended on the machine, hiding the malicious activity in the background.

How to avoid falling for this type of malicious advertising on Google Chrome

It’s well known that the more successful you are, the more you play with fire. The more popular a tool or software is, the more hackers are interested in it. Now available on the 2 most used OS, Arc is attracting attention. This should be the first alert, as they are often hijacked to appear in the first search results on Google. They are all the more formidable when perfectly imitated. It is strongly recommended to ignore all promotional results displayed by Google, which may have been hijacked by hackers even if they appear legitimate. The best thing is to skip them.

You can also choose a more radical solution than ignorance by installing an ad blocker in your browser is a good reflex to protect yourself against this type of malicious ads. It allows you to completely hide these potentially dangerous sponsored results.

Furthermore, get into the habit of bookmarking the official project site for your next downloads, without having to go through a search engine where you could come across a trap.

If, despite these precautions, you have any doubts after clicking on a link, absolutely check the authenticity of the domain before starting the download. A simple, careful look at the URL can often detect spoofing sites that play on misleading similarities.

Finally, a good reflex once the file has been downloaded is to submit it for analysis by an up-to-date antivirus. This makes it possible to detect any malicious payloads injected even before the program is executed on your machine.

Source : Bleeping Computer, Malwarebytes