BEWARE, active punycode attack on google ads homebrew install

[cipher-fox]

I just spotted a possible Punycode attack on Google when searching for the keywords "install homebrew".

The page seems to be legitimate https://www.brew.sh but then it redirects to https://hornebnew.com, where it downloads and mounts a DMG file, in which there is a Mach-o file that it later executes to infect the machine.

It may seem that everything went well, since in the end brew is installed on the machine.

This is the virustotal analysis of the infected file inside the DMG.
https://www.virustotal.com/gui/file/d4e86dbffd226e2aa5efeedd3159e4c72422238860939b370605ec1f07034f96/detection

[SMillerDev]

Please report this to Google, since we can't do anything about it.

[cipher-fox]

It has already been reported, I have decided to open an incident for faster dissemination.

[Bo98]

This has unfortunately has been a targeted attack going on for a while now and there's little we're able to do to address this. By the time one gets removed (several days), Google accepts an ad for a new domain.

Submitting to Google Safe Browsing has been the most successful so far. It's a separate team to the Google AdSense team and browsers often take that data and display a message when visiting the page which helps reduce the number of victims.