A new social engineering toolkit has been discovered. The operational premise has been used many times, but the execution of that premise is new and described by security researchers “a beautiful piece of work”.
The basic premise is to compromise a website, usually WordPress, and use that to display an overlay (loaded as an iframe) on the viDomensitors’ screens. The overlay entices visitors to install an update that really downloads the NetSupport RAT. In this it is very similar to the Fake Updates campaign described in April 2018.
The campaign also has some similarities to the EITest and HoeflerText social engineering scheme reported in January 2017. In that instance, the malware payload was the ad fraud malware known as Fleercivet; but the campaign was later observed spreading the Spora ransomware.
Where the new campaign differs is in the complexity and sophistication of distribution. Fake Updates has always employed fingerprinting on the visitor’s browser. The new campaign now makes full use of that fingerprinting to deliver a Chrome (or other browser), Flash Player, of Font Update in any one of 30 different languages. The Font Update overlay seems identical to the one used in the HoeflerText scheme, headed, “The ‘PT Sans’ font wasn’t found”.
Whether the earlier campaigns have inspired new actors, or this is an evolution by the same actors, the researchers from Malwarebytes consider this to be a new campaign that they have called Domen. Each time a user visits the compromised site, the Domen toolkit communicates with a remote server (hosted at asasasqwqq[.]xyz). Based on a number found on that site, the researchers believe that the campaign has received over 100,000 views in the past few weeks.
Domen’s template.js is able to deliver Internet Explorer, Chrome, Firefox, Edge or a generic ‘other’ browser update notice, with separate APK installation instructions for Android devices. Each of these can be translated into any of 30 different languages based on the browser fingerprint: browser type, operating system and locale. The theme is set by a variable, ‘banner’ which will select either Browser Update, Font, or Flash, and can be set by the individual threat actor — and again delivered in any of the 30 languages.
The browser overlays are identical apart from the name and associated logo, and the version number that is supposedly out of date and needs to be updated. In each case the user is warned of potential errors including incorrect site mapping, loss of all stored and personal data, and browser errors. These could be changed by tweaking the template. They are followed with the message, ‘To fix errors and save your data, update your browser to the latest version’, followed by an update button.
The Flash update overlay includes a ‘later’ button as well as the ‘update’ button. Like the other overlays it is provided by the social engineering kit, in this instance hosted on chrom-update[.]online. Clicking either button will download a file called ‘download.hta’, which is currently stored on Atlassian’s Bitbucket platform and hosted on an Amazon server (bbuseruploads.s3.amazonaws.com).
The HTA script runs PowerShell and connects to xyxyxyxyxy[.]xyz in order to retrieve a malware payload — in this instance a package containing the NetSupport RAT. NetSupport is a legitimate remote access tool. It is described by its UK developers as a solution “that allows seamless and secure access to workstations and servers across your enterprise, both locally when in the office, and remotely when on the move”, and is available for desktops, laptops, tablets and smartphones. However, if installed covertly by malicious actors, the tool becomes a trojan.
While the basic social engineering approach is not new, Domen is on a different level. “What makes the Domen toolkit unique,” say the researchers, “is that it offers the same fingerprinting (browser, language) and choice of templates thanks to a client-side (template.js) script which can be tweaked by each threat actor. Additionally, the breadth of possible customizations is quite impressive since it covers a range of browsers, desktop and mobile in about 30 different languages.”
The campaign is another example of the move away from using exploit kits — which is becoming increasingly difficult with the rise of automatically updating browsers — to concentrating on social engineering to get users to infect themselves. Malwarebytes detected a new exploit kit in August 2019, but commented, “Lately there has been a trend of what we call pseudo-exploit kits, where a threat actor essentially grabs a proof of concept for an Internet Explorer or Flash Player vulnerability and crafts a very basic page to load it. It is probably more accurate to describe these as drive-by download attacks, rather than exploit kits.”