A brand new malvertising marketing campaign is benefiting from the recognition of Perplexity’s just lately launched Comet browser, tricking customers into downloading a malicious installer as an alternative of the professional product.
The fraudulent adverts seem on the prime of Google search outcomes underneath domains equivalent to cometswift.com and cometlearn.web, each selling what seems to be like a productiveness browser linked to Perplexity.
When clicked, the adverts redirect to perplexity.web page, a faux touchdown web page mimicking the official Comet browser website, full with a obtain button that hyperlinks to a malicious file hosted on GitHub.
The payload, named comet_latest.msi, is saved in a GitHub repository underneath the account "richardsuperman" and is believed to drop further malware as soon as executed. In response to Jerome Segura, VP of Risk Analysis at DataDome, community telemetry signifies that the installer communicates with a command-and-control server hosted at icantseeyou.icu. VirusTotal scans hyperlink the exercise to DarkGate, a malware well-known for stealing passwords.
The continuing marketing campaign is one other case of attackers abusing Google Adverts and search outcomes, the place individuals search for one thing professional however find yourself on a faux website as an alternative. On this occasion, customers trying to find “Comet browser” are proven a misleading advert positioned above the true Perplexity hyperlink, main them to obtain malware from a web page that appears fully genuine.
Segura, who shared the findings on LinkedIn, stated his staff has already reported the advert to Google. He famous that related techniques are getting used towards different AI-driven browsers equivalent to Arc, displaying that attackers are fast to use trending software program launches.
Evaluation of the GitHub repository revealed Russian-language code feedback, hinting on the developer’s origin or linguistic background. The repository, titled musical-engine, incorporates Home windows Kinds code and uploaded belongings that match the malicious installer.
This entire episode exhibits how briskly scammers transfer when one thing new and common hits the net. They reap the benefits of the recognition and folks’s belief in acquainted platforms like Google Adverts. The most secure transfer is to skip the sponsored outcomes and go straight to the official web site each time it’s essential to obtain software program.
