have been using Brave for a while now and been happy overall. Yesterday night, though, something very suspicious happened. Events in order:
/edit: just remembered another detail: before crashing, I got a pop up that said roughly “can’t run this program” or something along those lines from Brave - don’t remember exactly but that was roughly the gist of it.
Brave crashed
on restarting it, it asked me to create a user account, optionally with a password.
it had lost all open pages, locked me out of my BAT wallet and instead showed a page that seemed to be a brave.com info page but instead led me to “bravebrowsers .com” (no spaces)
old brave install was visible in win 10 apps list for a second (I could see what looked like two brave icons, I think) but vanished after half a second and didn’t show any more, just a new one supposedly installed on March 5th (would un-/reinstall but I’m, hopefully understandably, skeptical about allowing an uninstaller to run that I suspect to be part of phishing-ware).
virus scanners show all clear
Is this a known issue?
Is bravebrowsers a legit site?
What could have caused this?
What should I do to make sure nothing untoward has happened to my computer?
Took the liberty of downloading this sample and running it thru Hybrid Analysis. Seems extremely malicious. Probably a new 0-day. Interestingly enough it seems to have spoofed certificates as well. FROM Brave.
Oh sh…, thanks for letting me know! Is there anything I can do/how should I react to this as it seems to be dodging current malware bytes/avast? how dangerous is the whole thing for the rest of my system?
Didn’t download anything from that site - but the strange behavior of brave (the weird break message, the lost pages and wallet access on relaunch, the question to create a user profile and in particular the first page shown that auto-linked me to the fake site) make me suspect the damn whatever it is might have autoinstalled through the auto-updates function. Is that possible? What can I do to figure out if my machine is contaminated?
Also remembered some more details:
When I reopened Brave after the crash, it didn’t show up at first and after a little bit, it became slow (don’t remeber the exact order) and I decided to kill it in task manager - which didn’t work, as any brave process I killed respawned (similar to what an anti-virus does). That only stopped when I deactivated my wifi and thereby the internet connection - at that point i could easily kill the process and it didn’t respawn.
Uh, well, the hitman pro text in your last post is URL tagged and leads to the scan at hybrid analysis - I assume that’s a c/p error? Hitman pro you’re suggesting is this one, right: https://www.hitmanpro.com/en-us/hmp.aspx?
Scan found only tracking cookies…
However, after I started installing HitmanPro, an unresponsive script warning is being shown by Firefox, telling me the script chrome//global/content/customElements.js:615 isn’t working any more. Given that neither Brave nor Chrome should even be running (and don’t turn up in the task manager) that also seems suspicious… so if you have any other suggestions I’d be more than happy!
/edit: actually, it found one file that supposedly doesn’t exist and might cause errors on start up (C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCsysTray8.exe ). Hitman deleted the cookies, not sure what it did to that file (if anything).
/Edit: stopped being stupid and found a 64-bit version on cnet - all processes kill switch shows are either trusted or unknown/Error (Not Found). What does that mean? What do I do next?
All the unknown or error processes:
unknown:
YourPhoneServer.exe
Avast UI (and other avast antivirus stuff, with AvastSvc.exe not actually showing the avast logo)
SkypeBridge.exe
SkypeApp.exe
Microsoft.Photos.exe
YourPhone.exe
/edit:found another one I missed before: wsc_proxy.exe
Error (not found)
System idle process - System - Memory Compression
Registry
I still have the sample from the ‘virus’ version of the one that came from the fake website. I usually keep all my malware samples backed up so I ca tinker with them in my freetime.
What probably happened was a DCMA from Brave’s team themselves. Someone from the Brave Dev team care to comment? @steeven@Asad
