View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 5, 2019

New Fake Update Malware Toolkit Adapts to Location and Language

"The template.js file is a beautiful piece of work"

By CBR Staff Writer

Santa Clara-based cybersecurity firm Malwarebytes has spotted a new social engineering toolkit that adapts to users’ operating system, browser and location.

The toolkit named ‘Domen‘ is designed around a client-side script that gives attackers a framework to create fake update templates, which entice users to click buttons initiating a malicious download, e.g. via a fake Flash update pop-up.

The toolkit has been customised to work on desktops and mobile sites. Interestingly it has also been designed to support 30 languages, suggesting a global attack surface.

The toolkit is loaded as an iframe from a compromised website and is displayed as an additional layer over the top of the site.

The malware will display a flash player update request which initiates a malicious download if a user clicks on the Later or Update button.

Malwarebytes notes that the toolkit is being deployed from a hacked website.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

“The domain wheelslist[.]net belongs to a legitimate website that has been hacked and where an iframe from chrom-update[.]online is placed as a layer above the normal page”

Fake Update Malware

If the unsuspecting victim then clicks the update or the later button then a file named ‘download.hta’ will be downloaded, if this file is executed then the HTA script will initiate a PowerShell attack.

PowerShell is a scripting language that when used by threat actors can give them unrestricted access to Windows APIs and system inner core. Fileless malware attacks often use default Windows tools to commit malicious actions or move laterally across a network to other machines.

In this cases the PowerShell attack connects to a site on the top level domain .xyz where it retrieves a malware payload package that contains a NetSupport RAT.

RATs (Remote Access Trojans) allow remote administrative control. They can be used to install backdoors and key loggers, take screen shots, and exfiltrate data. Many RATs are used to initiate downloads for other tools, however some are used to take complete control of a system, allowing a hacker to remove all the valuable data they want while keeping the real user in the dark about the compromise.

Fake Update Malware

The researchers at Malwarebytes note that this social engineering toolkit shares a lot in common with an attack they documented in 2018.

The malware named SocGholish also used social engineering tactics to trick users into clicking on fake browser updates that were placed on fabricated browser landing pages.

Malwarebytes notes that even though the templates for SocGholish and the new campaign are different they both display some of the same characteristics:

  • Can occasionally be found on the same compromised host
  • Abuse or abused a cloud hosting platform (Bitbucket, Dropbox)
  • Download a fake update as ‘download.hta’
  • Deliver the NetSupport RAT

However, the Domen toolkit appears to be a far more sophisticate piece of malware, especially when you consider a single JavaScript file controls an array of templates that change the fake error message depending on the users operating system, browser and location.

Fake Update MalwareMalwarebytes commented that: “The template.js file is a beautiful piece of work that goes beyond fake fonts or Flash Player themes. While we initially detected this redirection snippet under the FontPack label, we decided to call this social engineering framework Domen, based on a string found within the code.”

See Also: Youtube to Kill Comments on Kids’ Videos, End Targeted Advertising

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.