• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Network Routers Hit with Glupteba Campaign
September 5, 2019
Rewterz Threat Advisory – Cisco Webex Teams Logging Feature Command Execution Vulnerability
September 5, 2019

Rewterz Threat Alert – Domen Social Engineering Toolkit Generates 100,000 Page Views

September 5, 2019

Severity

Medium

Analysis Summary

A newly discovered social engineering toolkit has distributed a wide range of phony web page overlays, generating at least 100,000 page views in a few weeks.

Domen uses a cleverly written client-side script (“template.js”) to deliver these fraudulent overlays, which are loaded as an iframe from compromised websites and displayed on top of the website’s actual legitimate content. Most of the compromised websites run on WordPress.

The single JavaScript file controls a variety of templates depending on the browser, operating system, and locale. For instance, the same fake error message is translated into 30 different languages. Some sample templates can be seen below.

image-1567680020.png
Customized templates that can be chosen by operators
image-1567680135.png

Every time a user visits a compromised site that has been injected with the Domen toolkit, communication takes place with a remote server hosted at asasasqwqq[.]xyz

The Domen toolkit offers the same fingerprinting (browser, language) and choice of templates using client-side (template.js) script which includes a range of browsers, desktops, and mobiles in about 30 different languages.

Impact

Unauthorized system access

Indicators of Compromise

URLs

  • hxxp[:]//xyxyxyxyxy[.]xyz/wwwwqwe/11223344[.]exe
  • hxxp[:]//mnmnmnmnmnmn[.]club/qweeewwqe/112233[.]exe
  • drumbaseuk[.]com
  • chrom-update[.]online
  • xyxyxyxyxy[.]xyz
  • http[:]//sygicstyle[.]xyz/
  • http[:]//asasasqwqq[.]xyz/
  • mnmnmnmnmnmn[.]club


Malware Hash (MD5/SHA1/SH256)

  • 9c69a1d81133bc9d87f28856245fbd95bd0853a3cfd92dc3ed485b395e5f1ba0
  • 632919692a6597419ba2a32b821e82cc
  • b832dc81727832893d286decf50571cc740e8aead34badfdf1b05183d2127957
  • 852c0299c8b17235551b5ea2c82e648b
  • 58585d7b8d0563611664dccf79564ec1028af6abb8867526acaca714e1f8757d
  • 7b129aeb6634ce822ed865ff6a299411

Remediation

  • Block the threat indicators at their respective controls.
  • Always download updates from legitimate websites.
  • Do not follow random links/URLs even if they begin with https.
  • Aware employees about social engineering campaigns that utilize the ‘fear’ of victims, threatening to cause loss of data.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.