As Google Chrome continues to dominate the web browser market, a startup called The Browser Company has emerged with a new contender, the Arc browser. Launched for MacOS in July 2023 and recently made available for Windows, Arc has quickly garnered glowing reviews and significant user interest. However, this enthusiasm has also attracted the attention of cybercriminals, according to new research from Malwarebytes.
Malvertising Campaign Targets Arc Browser
Cybersecurity experts have identified a new malvertising campaign leveraging the popularity of the Arc browser. Threat actors are using Google search ads to lure potential victims searching for “arc installer” or “arc browser windows.” These ads, which appear legitimate and feature the official Arc logo and website, redirect users to malicious domains.
Using Google's Ad Transparency Center, cybersecurity researchers connected these ads to an advertiser based in Ukraine. The threat actors have registered multiple domain names to redirect victims and even included news headlines celebrating the Windows release to make the ads appear more credible.
Malware Delivery Mechanism
The malicious campaign begins with users downloading what they believe to be the Arc browser installer. The installer, named ArcBrowser.exe, is an executable that contains two additional executables. One of these executables retrieves the legitimate Arc software installer, serving as a decoy.
In the background, the malicious executable, Arc.exe, contacts the MEGA cloud platform using its developer’s API. The threat actors use MEGA as a command and control server to send and receive data. The initial query authenticates the threat actor using a disposable email address, followed by encoded queries and responses that likely involve user data.
Next, the malware reaches out to a remote site to download a secondary payload named bootstrap.exe. This payload retrieves a seemingly harmless PNG image file that hides malicious code. This code, once executed, drops another executable named JRWeb.exe onto the victim’s system.
A second version of bootstrap.exe, also observed by researchers, uses a legitimate Python executable to inject code into MSBuild.exe, a legitimate Microsoft utility. This method allows the malware to evade detection and maintain persistence.
Security Expert Insights
"Some of the best social engineering attacks happen when users are lured with well-known brands," explained a cybersecurity expert. "We have seen countless cases of brand impersonations via malicious ads targeting different types of victims. Online criminals will also leverage newer brands that are trending, and Arc is the perfect example of a new piece of software that many people will be looking to try out."
The expert further emphasized the importance of being cautious with sponsored results, as it can be difficult to discern legitimate ads from malicious ones. Criminals can create installers that evade detection, leading to compromise through a series of deceptive steps. Endpoint Detection and Response (EDR) systems can help by tying together a series of events indicative of an actual attack.