Domen Exploit Kit

Domen is a newly observed malware delivery toolkit that uses extensive reconnaissance and social engineering techniques to ensure its delivery campaigns are successful. As of the time of publication, Domen is able to target desktop and mobile users in thirty different languages across more than twenty countries.

Threat ID:: CC-3188
Category:
Threat Severity:: Medium
Threat Vector:
Published:: 5 September 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions
Apple iOS - All versions
Apple macOS - All versions
Google Android - All versions

macOS

Android

Threat details

As of the time of publication, Domen is able to target desktop and mobile users in thirty different languages across more than twenty countries. The group operating Domen use previously compromised websites, primarily running content management systems or blogging platforms, as initial watering holes. The group will then place an HTML iframe element containing Domen on the compromised sites. Users are directed to the sites via malicious adverts or redirects from other legitimate sites. There are also unconfirmed reports suggesting the group distribute links to the compromised sites via spam email campaigns.

Once a user reaches a compromised site, Domen will execute several scripts to collect user and system information including operating system version, location and browser activity. It will then use this information to display an overlay asking the user to download a relevant product or technology. Interacting with this overlay will download the intended payload, which will differ depending on the user profile and device operating system.

Remediation steps

Type	Step
	To prevent and detect a infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

To prevent and detect a infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Last edited: 14 February 2020 2:58 pm