Newly discovered Domen toolkit leverages fake browser and software update alerts to spread malware

• The Domen toolkit has drawn over 100,000 visits in the past few weeks.
• Once loaded on a compromised site, the toolkit displays a variety of alerts that overlay the site’s legitimate content.

Security researchers have uncovered a new wave of attacks that makes use of recently discovered social engineering toolkit called Domen. The toolkit has been discovered using fake browser and software update alerts on compromised sites to infect users with malware.

How does it operate?

Discovered by researchers from Malwarebytes, the Domen toolkit has drawn over 100,000 visits in the past few weeks. Once loaded on a compromised site, the toolkit displays a variety of alerts that overlays the site’s legitimate content. These fake alerts are designed in such a way that the users are tricked into believing that they are real and later download them. Once these fake alerts are executed, they infect the target systems with payloads of attackers’ choice.

Once such instance noticed by researchers involved the fake Flash Player update. The attackers had compromised the legitimate website wheelslist[.]net and palaced an iframe from chrom-update [.]online as a layer above the normal page.

Clicking on the UPDATE or LATER button on the page resulted in the download of a file called ‘ download.hta’ - indexed on Atlassian’s Bitbucket platform and hosted on an Amazon server. Upon execution, the ‘download.hta’ file runs PowerShell and connects to a .xyz domain in order to retrieve a malware payload named NetSupport RAT (Remote Administration Tool). When the machine is infected with the RAT, it allows the attackers to take control of the machine.

Worth noting

The interesting aspect of the toolkit supports 30 different languages and is designed for both desktop and mobile visitors. This allows the script to target a variety of different visitors that may visit a compromised site.

During the course of its research, Malwarebytes have also been able to link Domen to a malicious redirection campaign called FakeUpdates or SocGholish.

“In late 2018, we documented a malicious redirection campaign that we dubbed FakeUpdates, also known as SocGholish based on a ruleset from emerging threats. It leverages compromised websites and performs some of the most creative fingerprinting checks we’ve seen, before delivering its payload (NetSupport RAT),” researchers explained.

The bottom line

While the basic social engineering approach is not new, Domen is on a different level. Researchers note that “What makes the Domen toolkit unique is that it offers the same fingerprinting (browser, language) and choice of templates thanks to a client-side (template.js) script which can be tweaked by each threat actor.”