Threat Management, Malware, Network Security, Phishing

Domen toolkit customizes fake web page overlays to bolster infection odds

A malicious campaign has been leveraging a newly discovered social engineering toolkit to distribute a wide range of phony web page overlays, seemingly generating at least 100,000 page views in the just the past few weeks.

The toolkit, dubbed Domen, uses a cleverly written client-side script ("template.js") to deliver these fraudulent overlays, which are loaded as an iframe from compromised websites and displayed on top of the website's actual legitimate content. Most of the compromised websites run on WordPress, according to Jérôme Segura, director of threat intelligence of Malwarebytes, in a company blog post describing the threat.

The overlays typically appear as alerts instructing users to update their software, and are customized according to the victim's fingerprinted geolocation, browser and operating system. Interacting with these overlays by pressing the UPDATE or LATER button results in the execution of an HTA script, which runs PowerShell and connects to a malicious website hosting the NetSupport remote administration tool. The infected machine then downloads the RAT, which the attackers can use to take control.

The fake messages, which can appear in up to 30 different languages, have included phony appeals to have users install new versions of Flash Player, Chrome, Microsoft Edge, Firefox and Internet Explorer, as well as new font packs.

In the course of its research, Malwarebytes was able to link Domen to a malicious redirection campaign called FakeUpdates or SocGholish, which also fingerprints victim machines, but delivers a completely different fake update template. Malwarebytes discovered that Domen and SocGholish are sometimes both found on the same compromised host. Both are also known to abuse cloud hosting platforms, download .hta files disguised as fake updates and infected victims with the NetSupport RAT.

"Similarities with SocGholish could be simply due to the threat actor getting inspired by what has been done before. However, the fact that both templates deliver the same RAT is something noteworthy," Segura concludes.

Malwarebytes researchers also noted that another recently discovered redirection campaign, referenced as FontPack, used a JavaScript template that is nearly identical to Domen's. This fake font campaign appeared similar in nature to a 2017 HoeflerText social engineering scheme that used the EITest infection chain. Segura has reportedly told BleepingComputer that FontPack is merely an imitation of EITest, and is not an imitation.

According to Segura, users who visit a site injected with the Domen toolkit are connected to a remote server hosted at asasasqwqq[.]xyz. Network traffic data associated with this domain is what led Malwarebytes to conclude that more than 100,000 victim machines have been impacted by Domen.

"Over time, we have seen a number of different social engineering schemes. For the most part, they are served dynamically based on a user's geolocation and browser/operating system type," Segura states in the blog post. "What makes the Domen toolkit unique is that it offers the same fingerprinting (browser, language) and choice of templates thanks to a client-side (template.js) script which can be tweaked by each threat actor. Additionally, the breadth of possible customizations is quite impressive..."

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.