A new malware toolkit has emerged in the past few days that is attempting to infect users via compromised websites. Most of the compromised websites, which are unknowingly hosting the toolkit, are based on the WordPress script which leaves them vulnerable to be exploited. The toolkit, dubbed Domen, abuses the trust of the users with a classic social engineering attack. The toolkit relies on the fact that most users are cognizant of the necessity of updates and piggybacks on the trustworthiness of the programs they are claiming to represent. Domen targets both PC and mobile users and has been found in a minimum of 30 different languages and, due to its ability to adapt to a variety of browsers, makes it extremely dangerous. Domen places pop-up tabs on the infected websites that want the user to update popular services such as Flash Player. Once a user clicks button accepting the software update, a file named “download.hta” will download to the user’s device. Once downloaded, the file self-executes a remote access tool that connects to the hacker. Then the hacker can send whatever malware payload they desire. The remote access tool disguises itself by naming itself NetSupport Manager.
Analyst Notes
A quality antivirus/malware detection tool that is kept constantly updated should easily detect and remove this malicious file. If a user wants to check if that file is there, they can easily search for it by searching their computer for the keyword “NetSupport Manager.”
