March 3, 2020 By David Bisson 2 min read

Security researchers discovered a new malvertising campaign launched by the Domen social engineering toolkit.

On February 19, Malwarebytes discovered a new malvertising campaign leveraging a VPN service as a lure. The campaign featured a host of domains that were new to Domen’s attack infrastructure. These included search-one[.]info as its fraudulent page, mix-world[.]best as its download site and panel-admin[.]best as its backend panel.

Ultimately, the campaign leveraged a series of redirects to expose users to Smoke Loader. In one attack instance detected by Malwarebytes’ researchers, this malicious downloader installed numerous secondary payloads. Those payloads included the IntelRapid cryptominer, a Vidar stealer and Buran ransomware.

This wasn’t the first campaign to feature some of those payloads together. For instance, Cybereason discovered an attack campaign that drew from various accounts in Bitbucket, a code repository platform, to load IntelRapid and Vidar along with the AZORult Trojan, STOP ransomware and other payloads.

A Look Back at Domen’s Recent Activity

Malwarebytes first reported on Domen’s malvertising activity in September 2019. At the time of its analysis, the security firm observed the social engineering toolkit using compromised websites to trick visitors into clicking on a fake Adobe Flash Player update. Clicking on the “Update” button caused the campaign to download “download.hta.” This script then used PowerShell to connect to xyxyxyxyxy[.]xyz and download the NetSupport remote-access Trojan (RAT) as its malware payload.

Even so, Domen didn’t first awaken in the fall of 2019. Malwarebytes confirmed this when it found an ad for the toolkit that malicious actors had posted on a black hat forum back in April of that year.

How to Defend Against a Malvertising Campaign

Security professionals can help their organizations defend against malvertising campaigns by staying on top of patch management. While not evident in the Domen operations described above, many other malvertising campaigns commonly use exploit kits as a means of distributing their malware payloads. Additionally, infosec personnel should invest in a unified endpoint management (UEM) solution to grant visibility into all their endpoints. Doing so will help teams quickly detect and remediate an infection from an attack campaign’s malware payload.

More from

What is the Open-Source Software Security Initiative (OS3I)?

3 min read - The Open-Source Software Security Initiative (OS3I) recently released Securing the Open-Source Software Ecosystem report, which details the members’ current priorities and recommended cybersecurity solutions. The accompanying fact sheet also provides the highlights of the report. The OS3I includes both federal departments and agencies working together to deliver policy solutions to secure and defend the ecosystem. The new initiative is part of the overall National Cybersecurity Strategy.After the Log4Shell vulnerability in 2021, the Biden-Harris administration committed to improving the security of…

Widespread exploitation of recently disclosed Ivanti vulnerabilities

6 min read - IBM X-Force has assisted several organizations in responding to successful compromises involving the Ivanti appliance vulnerabilities disclosed in January 2024. Analysis of these incidents has identified several Ivanti file modifications that align with current public reporting. Additionally, IBM researchers have observed specific attack techniques involving the theft of authentication token data not readily noted in current public sources. The blog details the results of this research to assist organizations in protecting against these threats. Key Findings: IBM research teams have…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today