Some of the most common web threats we track have a social engineering component. Perhaps the more popular ones are those encountered via malvertising, or hacked websites that push fraudulent updates.
We recently identified a website compromise with a scheme we had not seen before; it's part of a campaign using a social engineering toolkit that has drawn over 100,000 visits in the past few weeks.
The toolkit, which we dub Domen, is built around a detailed client-side script that acts as a framework for different fake update templates, customized for both desktop and mobile users in up to 30 languages.
Loaded as an iframe from compromised websites (most of them running WordPress) and displayed over top as an additional layer, it entices victims to install so-called updates that instead download the NetSupport remote administration tool. In this blog we describe its tactics, techniques, and procedures (TTPs) that remind us of some past and current social engineering campaigns.
Fake Flash Player update
The premise looks typical of many other social engineering toolkit templates we've come across before. Here, users are tricked into downloading and running a Flash Player update:
Note that the domain wheelslist[.]net belongs to a legitimate website that has been hacked and where an iframe from chrom-update[.]online is placed as a layer above the normal page:
Clicking the UPDATE or LATER button downloads a file called 'download.hta', indexed on Atlassian's Bitbucket platform and hosted on an Amazon server (bbuseruploads.s3.amazonaws.com):
Upon execution, that HTA script will run PowerShell and connect to xyxyxyxyxy[.]xyz in order to retrieve a malware payload.
That payload is a package that contains the NetSupport RAT:
Link with "FakeUpdates" aka SocGholish
In late 2018, we documented a malicious redirection campaign that we dubbed FakeUpdates, also known as SocGholish based on a ruleset from EmergingThreats. It leverages compromised websites and performs some of the most creative fingerprinting checks we've seen, before delivering its payload (NetSupport RAT).
We recently noticed a tweet that reported SocGholish via the compromised site fistfuloftalent[.]com, although the linked sandbox report shows the same template we described earlier, which is different than the SocGholish one:
The reason why the sandbox is flagging SocGholish is because the compromised site contains artifacts related to it, and does, in some circumstances, actually redirect to it:
Although the templates for SocGholish and the new campaign are different, they both:
- can occasionally be found on the same compromised host
- abuse or abused a cloud hosting platform (Bitbucket, Dropbox)
- download a fake update as 'download.hta'
- deliver the NetSupport RAT
Side note: A publicly saved VirusTotal graph (saved screenshot here) shows that the threat actors also used DropBox at some point to host the netSupport RAT. They double compressed the file, first as zip and then as rar.
Similarities with SocGholish could be simply due to the threat actor getting inspired by what has been done before. However, the fact that both templates deliver the same RAT is something noteworthy.
Link with EITest
At about the same time as we were reviewing this new redirection chain, we saw this other one identified by @tkanalyst tagged as FontPack that is reminiscent of the HoeflerText social engineering toolkit reported by Proofpoint in early 2017.
A closer look at the template.js file confirms they are practically identical except for a different payload URL and some unique identifiers:
Domen social engineering kit
The template.js file is a beautiful piece of work that goes beyond fake fonts or Flash Player themes. While we initially detected this redirection snippet under the FontPack label, we decided to call this social engineering framework Domen, based on a string found within the code.
One particular variable called "banner" sets the type of social engineering theme: var banner = '2'; // 1 - Browser Update | 2 - Font | 3 - Flash
There is also a template for mobile devices (which again is translated into 30 languages) that instructs users how to download and run a (presumably malicious) APK:
Scope and stats
The scope of this campaign remains unclear but it has been fairly active in the past few weeks. Every time a user visits a compromised site that has been injected with the Domen toolkit, communication takes place with a remote server hosted at asasasqwqq[.]xyz:
The page will create a GET request that returns a number:
If we trust those numbers (a subsequent visit increments it by 1), it means this particular campaign has received over 100,000 views in the past few weeks.
Over time, we have seen a number of different social engineering schemes. For the most part, they are served dynamically based on a user's geolocation and browser/operating system type. This is common, for example, with tech support scam pages (browlocks) where the server will return the appropriate template for each victim.
What makes the Domen toolkit unique is that it offers the same fingerprinting (browser, language) and choice of templates thanks to a client-side (template.js) script which can be tweaked by each threat actor. Additionally, the breadth of possible customizations is quite impressive since it covers a range of browsers, desktop, and mobile in about 30 different languages.
Malwarebytes users were already protected against this campaign thanks to our anti-exploit protection that thwarts the .hta attack before it can even retrieve its payload.
Note: We shared a traffic capture with the folks at EmergingThreats who created a new set of rules for it.
Indicators of compromise
Domen social engineering kit host