We’ve been receiving alerts through CrowdStrike indicating that the Brave browser is attempting to load some malicious DLL files. All our browsers, including Brave, are on the latest stable versions.
Additionally, I noticed that these browsers are checking for nightly version updates as well.
Can anyone shed some light on why this is happening and how to resolve it?
Refer the above screenshot for more details regarding the crowstrike alert.
Thanks in advance for your help!
Same here around Friday past week we’ve started to detect some of these kind of Dll Sideloading on CrowdStrike, the same file, the same process tree. Let me know if you have any updates regarding this.
Lmao, bringing up Crowdstrike as they are having all sorts of issues:
https://www.wsj.com/business/crowdstrike-outage-travel-snarl-hacking-threat-cybersecurity-16647177
My comment aside, I’m not sure what’s happening. Typically there are no issues, and it’s important to note that Crowdstrike is having difficulties. However, I have little to no knowledge on the matter and no suggestions to give at the moment.
That said, I will tag @Mattches to have this on his radar and see if he has any suggestions or answers for you.
Thank you for your message. I appreciate your concern regarding CrowdStrike, but I have not experienced any issues with it. I am more interested in understanding the relationship between the regular Brave browser and its Nightly version.
They are different release channels for the browser — more information here:
Thanks for the reply, may I know why the stable latest version checking for a nightly update? And some of the update files are flagged as malicious? Thank you.
Can you elaborate on what you mean exactly?
Hey Mattches, we are also seeing multiple detections for DLL Injection for BraveUpdateComRegisterShell64.exe and we also see up further in the process tree (the first picture were Shadow229 highlights the first process) BraveBrowserUntaggedNightlySetup_127_1_69_107.exe is called.
I do not work with Shadow229 but I can speculate that we both came to the conclusion as described in the article “what is the difference between Nightly, Dev, Beta and Release builds?” that Brave, release channel, is using the nightly builds to update?
And by any chance, are you able to tell us what was updated in the Brave Release channel, examples being such as new library was used?
@Shadow229 and/or Brave Staff where you able to determine what the issue was?
Apparently not - I’m seeing Crowdstrike alerts like this, too. This may be more something to bring up to Crowdstrike, particularly as this has gone unchecked for 2 weeks. CS also gives the DLL files it tried to load and those are worth analyzing. Note this is literally what Crowdstrike tells you to do…
In my case it was ole32.dll - @Saoiray or @Mattches (or someone at Brave), does the BraveUpdateComRegisterShell64.exe normally try to side-load ole32.dll, and if so would you be willing to share any context as to why? I just want to do due diligence why I examine this “incident” on my end and determine if it’s a cause for concern or a false positive. In examining ole32.dll as well, I found it clean via VirusTotal and Hybrid Analysis. Please advise.
@why2kbug I don’t work at Brave and certainly am not knowledgeable on the question you’re asking. It would likely need to be someone like @steeven or @Mattches who will be able to better assist. In terms of users, perhaps @justsomeone1 may know. (tagging them since we’re at the end of day Friday and Support usually isn’t around on the weekends)
@Saoiray Got it, thanks. Appreciate you tagging them and this can wait until Monday for me, as well. The system that detected this is sandboxed until it’s resolved and I’ve already reached out to Crowdstrike on top of this, I’ll update if they’re able to provide context/information/anything.
With the recent crowdstrike issues it’s possible this is a known issue and just not pushed out yet. They delayed further updates to this and only recently began distributing more.
Hello everyone
i have no windows or falcon system to test or check if i have the same issue using linux
i think the question should be forward to the dev team about the following
based on this info about ole32.dll
so it used to make app interact with each other
so the question which app brave interact with
another question from @Shadow229 and @a22joarodgui braveUpdate.exe call BraveBrowser…NIght…exe which they ask why it call this app while they use the release version (those inner app could be the cause of use ole32.dll but not sure)
sorry for not bringing any new info but hope soon you get good feedback from the team to know what is going on wrong or if it false positive
and have a nice day everyone 
I reinstall all the brave browsers. Since then, I have not received any alerts.
Thanks for everyone responses.
@why2kbug - Similar if not the same detection, ole32.dll was indeed being loaded. Main concern for us if this was expected change by the Brave Team, which briefly through GitHub Patch Notes for Brave did not show anything outlying, potentially ruling this as a False Positive.
@justsomeone1 - Thank you for your insight on this and I believe unofficially is the best answer we will get. Very much appreciated.
@Shadow229 - Thank you for your update.
Crowdstrike essentially refused to help saying they won’t investigate something in our environment, despite knowing full well they collect the data. I may pester them some more.
@justsomeone1 - the issue seems Windows specific as it’s loading a specific Windows DLL. Testing on Linux wouldnt be the best case as I assume the update process isn’t the same, especially if they’ve installed using a repository.
Since ole32.dll allows programs to share data between programs, there exists some potential for abuse and I think it’s important we at least determine this is normal behavior, and if willing to share, more about what it’s doing.
Sorry for the lack of reply here.
So we believe this to be a false positive report by CrowdStrike.
We recently released a new version of our automatic update mechanism on Windows. It incorporated a few small improvements and bug fixes, and was also signed with our new codesigning certificate. The motivation for the latter is that our current certificate expires in August, so had to be renewed.
As for the word “nightly” in the name: The file is correct, but we accidentally uploaded it to our server under the wrong name. We did not expect it to be visible to users, so did not give it much thought. Sorry for the confusion.
Got you - so loading ole32.dll is normal behavior for the update process?
@why2kbug - Just an FYI: I believe CrowdStrike will not investigate if it’s not an AI/Falcon Machine Learning issue or affecting your org such as mass quarantining of files. Hence why I wanted confirmation someone from the Brave team.
@Mattches - Thanks for the update! I am also interested in your/brave’s response to @why2kbug’s question.
totally agree
