Social engineering kits are nothing new in the world of malware, with yet another tool entering the field with Domen. Тhe basic idea behind this kind of threat is compromising a website, most often WordPress, then using it to display overlays loaded with an iframe on the screen. The overlay asks visitors to install an update, something which downloads the NetSupport RAT (remote access trojan or remote administration tool). It is similar to other threats like the Fake Updates campaign that popped up around April of 2018.

The campaign also bears some similarities to the EITest and the HoeflerText social engineering scheme used in 2017, when the malware payload was an ad fraud malware – Fleercivet. That malware was later seen spreading the Spora malware.

The difference between those and the new campaign is mostly in complexity and the method of distribution. Fake Updates used fingerprinting on the browsers of its victims. The new campaign uses full use of that technique to delver Chrome, Flash Player, or font updates in 30 different languages. The font update overlay appears identical to the one used in the HoeflerText scheme of years past, bearing the header 'The 'PT Sans' font wasn't found.'

The new campaign was dubbed Domen, with the Domen toolkit communicating with a remote server, one that is hosted at asasasqwqq[.]xyz at this time. Based on data extrapolated from the website, researchers believe there have been more than 100,000 hits already and growing, visits by victims of the Domen toolkit.

The Domen template.js is capable of delivering browser update notices to Internet Explorer, Firefox, Edge, and Chrome, alongside separate APK installation instructions for any Android devices. Each of these templates exists in as many as 30 different languages, all based on the kind of browser type, operating system, locale, and so forth. The theme uses a variable banner which selects a Font, Flash or Browser Update theme. It may be set by each threat actor using the tool, once again delivered in any of the prepared 30 languages.

The browser overlays are the same in all versions aside from the name and logo used. The user gets warned against potential errors due to 'incorrect site mapping,' 'loss of all stored and personal data' and 'browser errors.' The messages are also editable by changing the template. After these, a message states 'To fix errors and save your data, update your browser to the latest version,' with an update button in plain sight.

The Flash update overlay has a 'later' button as well as the update button, and much like other overlays in this kind of social engineering kits, this one is hosted on a different server, specifically chrom-update[.]online in this case. Clicking on either of the buttons downloads a file named 'download.hta' stored on a Bitbucket platform and hosted on an Amazon server as well – bbuseruploads.s3.amazonaws[.]com.

The HTA script involved runs PowerShell, and it connects to the xyxyxyxyxy[.]xyz domain to pull the malware payload, in this case, a package that contains the legitimate NetSupport remote access tool, which is used commonly in classroom management solutions. The tool has been used by the people behind Domen to support their operations, thus acting as a Trojan.

Related Posts


Most Viewed