Domen is a malware delivery toolkit that uses extensive reconnaissance and social engineering techniques to ensure its delivery campaigns are successful. Domen is able to target desktop and mobile users in thirty different languages across more than twenty countries.
The group operating Domen use previously compromised websites, primarily running content management systems or blogging platforms, as initial watering holes. The group will then place an HTML iframe element containing Domen on the compromised sites. Users are directed to the sites via malicious adverts or redirects from other legitimate sites. There are also unconfirmed reports suggesting the group distribute links to the compromised sites via spam email campaigns.
The idea of this kit is to compromise a website, usually WordPress, and use that to display an overlay (loaded as an iframe) on the viDomensitors’ screens. The overlay entices visitors to install an update that really downloads the NetSupport RAT.
Once a user reaches a compromised site, Domen will execute several scripts to collect user and system information including operating system version, location and browser activity. It will then use this information to display an overlay asking the user to download a relevant product or technology. Interacting with this overlay will download the intended payload, which will differ depending on the user profile and device operating system.
- Microsoft Windows – All versions
- Apple iOS – All versions
- Apple macOS – All versions
- Google Android – All versions
Indicators of Compromise
SHA256 File Hashes