A malicious campaign has been leveraging a newly discovered social engineering toolkit to distribute a wide range of phony web page overlays, seemingly generating at least 100,000 page views in the just the past few weeks.
The toolkit, dubbed Domen, uses a cleverly written client-side script ("template.js") to deliver these fraudulent overlays, which are loaded as an iframe from compromised websites and displayed on top of the website's actual legitimate content. Most of the compromised websites run on WordPress, according to Jérôme Segura, director of threat intelligence of Malwarebytes, in a company blog post describing the threat.
The overlays typically appear as alerts instructing users to update their software, and are customized according to the victim's fingerprinted geolocation, browser and operating system. Interacting with these overlays by pressing the UPDATE or LATER button results in the execution of an HTA script, which runs PowerShell and connects to a malicious website hosting the NetSupport remote administration tool. The infected machine then downloads the RAT, which the attackers can use to take control.
The fake messages, which can appear in up to 30 different languages, have included phony appeals to have users install new versions of Flash Player, Chrome, Microsoft Edge, Firefox and Internet Explorer, as well as new font packs.
In the course of its research, Malwarebytes was able to link Domen to a malicious redirection campaign called FakeUpdates or SocGholish, which also fingerprints victim machines, but delivers a completely different fake update template. Malwarebytes discovered that Domen and SocGholish are sometimes both found on the same compromised host. Both are also known to abuse cloud hosting platforms, download .hta files disguised as fake updates and infected victims with the NetSupport RAT.
"Similarities with SocGholish could be simply due to the threat actor getting inspired by what has been done before. However, the fact that both templates deliver the same RAT is something noteworthy," Segura concludes.
According to Segura, users who visit a site injected with the Domen toolkit are connected to a remote server hosted at asasasqwqq[.]xyz. Network traffic data associated with this domain is what led Malwarebytes to conclude that more than 100,000 victim machines have been impacted by Domen.
"Over time, we have seen a number of different social engineering schemes. For the most part, they are served dynamically based on a user's geolocation and browser/operating system type," Segura states in the blog post. "What makes the Domen toolkit unique is that it offers the same fingerprinting (browser, language) and choice of templates thanks to a client-side (template.js) script which can be tweaked by each threat actor. Additionally, the breadth of possible customizations is quite impressive..."