Severity
Medium
Analysis Summary
A newly discovered social engineering toolkit has distributed a wide range of phony web page overlays, generating at least 100,000 page views in a few weeks.
Domen uses a cleverly written client-side script (“template.js”) to deliver these fraudulent overlays, which are loaded as an iframe from compromised websites and displayed on top of the website’s actual legitimate content. Most of the compromised websites run on WordPress.
The single JavaScript file controls a variety of templates depending on the browser, operating system, and locale. For instance, the same fake error message is translated into 30 different languages. Some sample templates can be seen below.
Every time a user visits a compromised site that has been injected with the Domen toolkit, communication takes place with a remote server hosted at asasasqwqq[.]xyz
The Domen toolkit offers the same fingerprinting (browser, language) and choice of templates using client-side (template.js) script which includes a range of browsers, desktops, and mobiles in about 30 different languages.
Impact
Unauthorized system access
Indicators of Compromise
URLs
- hxxp[:]//xyxyxyxyxy[.]xyz/wwwwqwe/11223344[.]exe
- hxxp[:]//mnmnmnmnmnmn[.]club/qweeewwqe/112233[.]exe
- drumbaseuk[.]com
- chrom-update[.]online
- xyxyxyxyxy[.]xyz
- http[:]//sygicstyle[.]xyz/
- http[:]//asasasqwqq[.]xyz/
- mnmnmnmnmnmn[.]club
Malware Hash (MD5/SHA1/SH256)
- 9c69a1d81133bc9d87f28856245fbd95bd0853a3cfd92dc3ed485b395e5f1ba0
- 632919692a6597419ba2a32b821e82cc
- b832dc81727832893d286decf50571cc740e8aead34badfdf1b05183d2127957
- 852c0299c8b17235551b5ea2c82e648b
- 58585d7b8d0563611664dccf79564ec1028af6abb8867526acaca714e1f8757d
- 7b129aeb6634ce822ed865ff6a299411
Remediation
- Block the threat indicators at their respective controls.
- Always download updates from legitimate websites.
- Do not follow random links/URLs even if they begin with https.
- Aware employees about social engineering campaigns that utilize the ‘fear’ of victims, threatening to cause loss of data.