Medium
A newly discovered social engineering toolkit has distributed a wide range of phony web page overlays, generating at least 100,000 page views in a few weeks.
Domen uses a cleverly written client-side script (“template.js”) to deliver these fraudulent overlays, which are loaded as an iframe from compromised websites and displayed on top of the website’s actual legitimate content. Most of the compromised websites run on WordPress.
The single JavaScript file controls a variety of templates depending on the browser, operating system, and locale. For instance, the same fake error message is translated into 30 different languages. Some sample templates can be seen below.
Every time a user visits a compromised site that has been injected with the Domen toolkit, communication takes place with a remote server hosted at asasasqwqq[.]xyz
The Domen toolkit offers the same fingerprinting (browser, language) and choice of templates using client-side (template.js) script which includes a range of browsers, desktops, and mobiles in about 30 different languages.
Unauthorized system access
URLs
Malware Hash (MD5/SHA1/SH256)