Distributing malware has never been easier for cyber criminals with the introduction of social engineering toolkits to create fake update notifications, security researchers warn.
The warning follows the discovery of a toolkit, dubbed Domen, that is designed to create desktop and mobile software update campaigns in up to 30 different languages to trick victims into installing a remote access trojan (RAT) by running what they think is a legitimate software update.
A RAT is malware that typically includes a backdoor for administrative control over the target computer, making it possible for an attacker to do just about anything on the targeted computer, including: monitoring user behaviour through keyloggers or other spyware; accessing confidential information, such as credit card numbers; activating a system's webcam; distributing malware; and deleting, downloading or altering files and file systems.
Domen is built around a very detailed client-side script that acts as a framework for different highly-customisable fake update templates, including templates for Flash Player updates, browser updates, or missing font notifications, according to researchers at security firm Malwarebytes.
“We recently identified a website compromise with a scheme we had not seen before, part of a campaign using a social engineering kit that has drawn over 100,000 visits in the past few weeks,” said Jérôme Segura, director of threat intelligence at Malwarebytes.
“Loaded as an IFrame from compromised websites (most of them running WordPress) and displayed over the top as an additional layer, [the toolkit] entices victims to install so-called updates that instead download the NetSupport remote administration tool,” he wrote in a blog post.
Over time, said Segura, the Malwarebytes research team has seen a number of different social engineering schemes, which are mainly served dynamically based on a user’s geolocation and browser/operating system type.
“This is very common, for example, with tech support scam pages, where the server will return the appropriate template for each victim,” he said. “What makes the Domen toolkit unique is that it offers the same fingerprinting (browser, language) and choice of templates, thanks to a client-side (template.js) script which can be tweaked by each threat actor.”
While Malwarebytes users are protected against this campaign by its anti-exploit protection mechanism, the security firm has published a list of indicators of compromise to help organisations defend against it.
Read more about fake update campaigns
- Security experts have warned that cyber attackers will be quick to use the Meltdown and Spectre exploits, but the first attempt to capitalise on them has come in the form of fake updates.
- Cryptocurrency mining malware is posing as Flash updates that appear to be legitimate, Palo Alto Networks security researchers warn.
- Malicious webpages masquerading as browser updates are being used by attackers as launch pads for trojan viruses and exploit kits.