The Domen Hacking Toolkit is a dangerous weapon in the hands of numerous criminal collectives which is actively being used in global attack campaigns. It is used as a framework through which malware samples can be launched through social engineering tactics allowing for different distribution scenarios. Our article shows an overview of how this tool is used in the known attacks so far.
Social Engineering Malware Attacks Being Launched by Domen Hacking Toolkit
Computer hackers worldwide are currently exploring a new possibility of infecting users by means of a new weapon, this time its a tool called the Domen Hacking Toolkit. Instead of being a single program that is used by the hackers to enter in parameters it is toolkit that can be fine-tuned to construct, coordinate and run the attacks. So far there are several different types of attacks that have been organized through it and according to our information this is done by hacking groups that have no connection between them. The Domen Hacking toolkit consists of numerous parts and scripts making it very easy to customize and extent to the point where it can be used for the organized attacks. Its modular platform allows it to be adapted to various end-user configurations such as web browsers, operating systems and installed software. Some of the attacks that were witnessed by the security researchers include malware sites that can take various forms:
- Fake Landing Pages — by utilizing phishing techniques the hackers can construct landing pages and other portions of legitimate and well-known companies or services. As soon as they interact with the service the infection will be made.
- Redirects — There are certain scripts or pages that will make the browsers automatically download or launch malware pages or lead them onto various phishing sites.
- Pop-Ups and Malware Ads — In many cases the main goal of the ongoing Domen toolkit will be to present to the users intrusive pop-ups and ads in their browser windows. This is done so because for every displayed ad result the operators will receive income.
The Domen Hacking toolkit can be used to craft fake download pages or software update notifications. This is the case with the popular strategy of making the victims think that they need to install a new version of the Adobe Flash Player. This is done by compromising a legitimate website and replacing some of its code in order to lead to the infection.
When the infection has been made a client-side Trojan will be loaded onto the client systems. Depending on the hacking instructions various actions can be done and different consequences can be explored. Some of them include the following:
- Malware Delivery — This can be used to practically infect the systems with all kinds of threats such as Trojans, miners and ransomware.
- Data Theft — The initial script can be programmed into actively searching the contents and memory of the compromised machines. This can be both for personal information that can reveal the identity of the victims or machine metrics that can be used to generate a unique ID for each host.
- System Changes — What’s particularly dangerous about the possibility of getting infected by the Domen Hacking toolkit and any of its payload is that they may also change the system configuration files and settings. This can produce many negative effects such as performance issues, the inability to enter into some of the recovery options and errors. Data loss can be generated as any edits to strings located in the Windows Registry can make services misbehave and corrupt files.
- Persistent Threat Infection — All of the made malware deliveries can be installed in a way which is considered “persistent”. This means that it will be started every time the computer is started and active defenses can be made which will guard it from being removed by security software. This can be done by searching for active processes and identifying them if they can have this ability. Examples of such include anti-virus programs, firewalls, virtual machine hosts and intrusion detection systems. They will be disabled or entirely removed.
And even though the Domen Hacking Toolkit is primarily used to induce malware threats through social engineering we anticipate that it can be used in order coordinated attack campaigns. Time will tell if it will continue to be used as the primary weapon by hacking communities.