“The template.js file is a beautiful piece of work”
Santa Clara-based cybersecurity firm Malwarebytes has spotted a new social engineering toolkit that adapts to users’ operating system, browser and location.
The toolkit named ‘Domen‘ is designed around a client-side script that gives attackers a framework to create fake update templates, which entice users to click buttons initiating a malicious download, e.g. via a fake Flash update pop-up.
The toolkit has been customised to work on desktops and mobile sites. Interestingly it has also been designed to support 30 languages, suggesting a global attack surface.
The toolkit is loaded as an iframe from a compromised website and is displayed as an additional layer over the top of the site.
The malware will display a flash player update request which initiates a malicious download if a user clicks on the Later or Update button.
Malwarebytes notes that the toolkit is being deployed from a hacked website.
“The domain wheelslist[.]net belongs to a legitimate website that has been hacked and where an iframe from chrom-update[.]online is placed as a layer above the normal page”
If the unsuspecting victim then clicks the update or the later button then a file named ‘download.hta’ will be downloaded, if this file is executed then the HTA script will initiate a PowerShell attack.
PowerShell is a scripting language that when used by threat actors can give them unrestricted access to Windows APIs and system inner core. Fileless malware attacks often use default Windows tools to commit malicious actions or move laterally across a network to other machines.
In this cases the PowerShell attack connects to a site on the top level domain .xyz where it retrieves a malware payload package that contains a NetSupport RAT.
RATs (Remote Access Trojans) allow remote administrative control. They can be used to install backdoors and key loggers, take screen shots, and exfiltrate data. Many RATs are used to initiate downloads for other tools, however some are used to take complete control of a system, allowing a hacker to remove all the valuable data they want while keeping the real user in the dark about the compromise.
Fake Update Malware
The researchers at Malwarebytes note that this social engineering toolkit shares a lot in common with an attack they documented in 2018.
The malware named SocGholish also used social engineering tactics to trick users into clicking on fake browser updates that were placed on fabricated browser landing pages.
Malwarebytes notes that even though the templates for SocGholish and the new campaign are different they both display some of the same characteristics:
- Can occasionally be found on the same compromised host
- Abuse or abused a cloud hosting platform (Bitbucket, Dropbox)
- Download a fake update as ‘download.hta’
- Deliver the NetSupport RAT
Malwarebytes commented that: “The template.js file is a beautiful piece of work that goes beyond fake fonts or Flash Player themes. While we initially detected this redirection snippet under the FontPack label, we decided to call this social engineering framework Domen, based on a string found within the code.”