Social engineering kits are nothing new in the world of malware, with yet another tool entering the field with Domen. Тhe basic idea behind this kind of threat is compromising a website, most often WordPress, then using it to display overlays loaded with an iframe on the screen. The overlay asks visitors to install an update, something which downloads the NetSupport RAT (remote access trojan or remote administration tool). It is similar to other threats like the Fake Updates campaign that popped up around April of 2018.
The campaign also bears some similarities to the EITest and the HoeflerText social engineering scheme used in 2017, when the malware payload was an ad fraud malware – Fleercivet. That malware was later seen spreading the Spora malware.
The difference between those and the new campaign is mostly in complexity and the method of distribution. Fake Updates used fingerprinting on the browsers of its victims. The new campaign uses full use of that technique to delver Chrome, Flash Player, or font updates in 30 different languages. The font update overlay appears identical to the one used in the HoeflerText scheme of years past, bearing the header 'The 'PT Sans' font wasn't found.'
The new campaign was dubbed Domen, with the Domen toolkit communicating with a remote server, one that is hosted at asasasqwqq[.]xyz at this time. Based on data extrapolated from the website, researchers believe there have been more than 100,000 hits already and growing, visits by victims of the Domen toolkit.
The Domen template.js is capable of delivering browser update notices to Internet Explorer, Firefox, Edge, and Chrome, alongside separate APK installation instructions for any Android devices. Each of these templates exists in as many as 30 different languages, all based on the kind of browser type, operating system, locale, and so forth. The theme uses a variable banner which selects a Font, Flash or Browser Update theme. It may be set by each threat actor using the tool, once again delivered in any of the prepared 30 languages.
The browser overlays are the same in all versions aside from the name and logo used. The user gets warned against potential errors due to 'incorrect site mapping,' 'loss of all stored and personal data' and 'browser errors.' The messages are also editable by changing the template. After these, a message states 'To fix errors and save your data, update your browser to the latest version,' with an update button in plain sight.
The Flash update overlay has a 'later' button as well as the update button, and much like other overlays in this kind of social engineering kits, this one is hosted on a different server, specifically chrom-update[.]online in this case. Clicking on either of the buttons downloads a file named 'download.hta' stored on a Bitbucket platform and hosted on an Amazon server as well – bbuseruploads.s3.amazonaws[.]com.
The HTA script involved runs PowerShell, and it connects to the xyxyxyxyxy[.]xyz domain to pull the malware payload, in this case, a package that contains the legitimate NetSupport remote access tool, which is used commonly in classroom management solutions. The tool has been used by the people behind Domen to support their operations, thus acting as a Trojan.
Do You Suspect Your PC May Be Infected with Domen & Other Threats? Scan Your PC with SpyHunterSpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like Domen as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Security Doesn't Let You Download SpyHunter or Access the Internet?Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
- Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
- Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
- Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
- IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.