A new social engineering toolkit has been discovered. The operational premise has been used many times, but the execution of that premise is new and described by security researchers "a beautiful piece of work".
The basic premise is to compromise a website, usually WordPress, and use that to display an overlay (loaded as an iframe) on the viDomensitors' screens. The overlay entices visitors to install an update that really downloads the NetSupport RAT. In this it is very similar to the Fake Updates campaign described in April 2018.
The campaign also has some similarities to the EITest and HoeflerText social engineering scheme reported in January 2017. In that instance, the malware payload was the ad fraud malware known as Fleercivet; but the campaign was later observed spreading the Spora ransomware.
Where the new campaign differs is in the complexity and sophistication of distribution. Fake Updates has always employed fingerprinting on the visitor's browser. The new campaign now makes full use of that fingerprinting to deliver a Chrome (or other browser), Flash Player, of Font Update in any one of 30 different languages. The Font Update overlay seems identical to the one used in the HoeflerText scheme, headed, "The 'PT Sans' font wasn't found".
Whether the earlier campaigns have inspired new actors, or this is an evolution by the same actors, the researchers from Malwarebytes consider this to be a new campaign that they have called Domen. Each time a user visits the compromised site, the Domen toolkit communicates with a remote server (hosted at asasasqwqq[.]xyz). Based on a ..
Support the originator by clicking the read the rest link below.
