A new toolkit has emerged in the past few days, infecting users via compromised websites.

Most of the compromised websites which are unknowingly hosting the toolkit are based on a WordPress script, which leaves them vulnerable to be exploited this way.

The toolkit has been dubbed Domen and abuses the trust of users in a classic social engineering move. Relying on the fact that most users are aware of the necessity of updates, the toolkit creators are piggyback riding on the trustworthiness of the programs they claim to represent.

When one sees a notification for a required update from a software brand they already have and trust, chances are they will approve without thinking twice. That’s how the Domen toolkit spreads and infects hosts, allowing hackers to access the infected devices remotely, to take screenshots, steal data and more.

The Domen toolkit was first discovered by security researcher Jérôme Segura, and further reported on by security researcher mol69.

How Does the Domen Toolkit Work?

The Domen Toolkit targets both PC and mobile users. So far, security researchers have discovered Domen messages being delivered in as many as 30 different languages. Besides the linguistic variety, the Domen toolkit is also remarkable in its high level of customization and sophistication.

Because of its complexity, the toolkit is able to adapt to various browsers, operating systems, clients and so on. This is what makes Domen more dangerous than the usual run-of-the-mill exploit kits abusing Flash vulnerabilities.

After an internet user visits a website infected with the Domen toolkit, they will start seeing pop-ups prompting them to install a ‘required’ software update. Those software update messages are delivered with regards to multiple software names and in 30 languages so far.

For example, here is a screenshot of a fake Chrome update prompt.

screenshot of fake chrome update notification

Screenshot courtesy of Bleeping Computer.

Once you click the button accepting the software update, a file named download.hta will be downloaded into your device.

Upon being executed, that file will then download a client-side remote access tool (template.js) into %Temp%\jscheck.exe. Unlike other toolkits, Domen allows this tool to be highly customized. The hacker using it can choose whatever malware payload they wish to deliver into the device after they infected. Therefore, not all users were then infected with the same malware strains after falling for the Domen fake update prompt.

The remote access tool installed by the initial file (download.hta) will automatically get installed and run after infection. If infected with it, you can notice it in your list of ongoing processes, under the name NetSupport Manager, as in the screenshot below.

screenshot of remote access malware in list of processes

Screenshot courtesy of Bleeping Computer.

However, if you got infected on a mobile device, doing this quick check might not be as easy.

Another piece of good news is that if your device is well protected by a strong next-gen Antivirus and a DNS traffic filter, the NetSupport Manager shouldn’t pass undetected. Your cybersecurity suite will definitely alert you that something is wrong.

Unfortunately, the Domen toolkit installs other things besides NetSupport Manager. It is up to the hacker running the campaign to choose what malware payload they wish delivered and installed, so what you get is a bit of a wildcard.

How to detect the Domen Toolkit and How to Stay Safe

As mentioned above, a surefire way to determine if your computer has been infected by the Domen Toolkit is to quickly run a process check. If the NetSupport Manager tool appears in the list of ongoing processes, you’re infected.

Depending on the stage of the infection, you might notice other signs that something is wrong. The signs that your computer is infected with malware are numerous and can differ depending on the exact malware you are infected with.

By and large, though, any sudden change, evidence of someone using your computer remotely, any apps or software you don’t remember installing, your browser homepage changing – all these are signs of a malware infection.

A good cybersecurity suite should help you get rid of the infections quickly, but by then the damage might already be done. If hackers used the infection to compromise your data or steal accounts, it could prove difficult to put a lid on it. As always, prevention is the best cure.

To make sure you don’t fall for the Domen toolkit or similar fake notifications, why not install an automatic software updater, like our Heimdal Free?

Get Heimdal Free

The Heimdal software updater tool is free to use forever and it will close all outdated software vulnerabilities. Whenever an update is available for one of your installed software or apps, Heimdal™ Free will automatically apply the patch. It works silently, in the background, without requiring permissions and restarts every time.

This way, even if you get targeted by messages such as the ones used by the Domen toolkit, you will have no reason to think they are legit. You will already have a professional tool handling all your required updates.

Good luck and stay safe.

P.S: If you already have an active Heimdal Threat Prevention Home or Heimdal Premium Security Home license, you are benefitting from the Heimdal Free functionalities so there’s no need to install the automatic software updater. 

8 Free and Open Source Patch Management Tools for Your Company [Updated 2023]

Enterprise Patch Management: What It Is and Why You Need It

5 Common Myths about Software Updates You Need to Know

Leave a Reply

Your email address will not be published. Required fields are marked *