Light Dark
March 3, 2020 By David Bisson 2 min read

Security researchers discovered a new malvertising campaign launched by the Domen social engineering toolkit.

On February 19, Malwarebytes discovered a new malvertising campaign leveraging a VPN service as a lure. The campaign featured a host of domains that were new to Domen’s attack infrastructure. These included search-one[.]info as its fraudulent page, mix-world[.]best as its download site and panel-admin[.]best as its backend panel.

Ultimately, the campaign leveraged a series of redirects to expose users to Smoke Loader. In one attack instance detected by Malwarebytes’ researchers, this malicious downloader installed numerous secondary payloads. Those payloads included the IntelRapid cryptominer, a Vidar stealer and Buran ransomware.

This wasn’t the first campaign to feature some of those payloads together. For instance, Cybereason discovered an attack campaign that drew from various accounts in Bitbucket, a code repository platform, to load IntelRapid and Vidar along with the AZORult Trojan, STOP ransomware and other payloads.

A Look Back at Domen’s Recent Activity

Malwarebytes first reported on Domen’s malvertising activity in September 2019. At the time of its analysis, the security firm observed the social engineering toolkit using compromised websites to trick visitors into clicking on a fake Adobe Flash Player update. Clicking on the “Update” button caused the campaign to download “download.hta.” This script then used PowerShell to connect to xyxyxyxyxy[.]xyz and download the NetSupport remote-access Trojan (RAT) as its malware payload.

Even so, Domen didn’t first awaken in the fall of 2019. Malwarebytes confirmed this when it found an ad for the toolkit that malicious actors had posted on a black hat forum back in April of that year.

How to Defend Against a Malvertising Campaign

Security professionals can help their organizations defend against malvertising campaigns by staying on top of patch management. While not evident in the Domen operations described above, many other malvertising campaigns commonly use exploit kits as a means of distributing their malware payloads. Additionally, infosec personnel should invest in a unified endpoint management (UEM) solution to grant visibility into all their endpoints. Doing so will help teams quickly detect and remediate an infection from an attack campaign’s malware payload.

 |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

September 20, 2024

New cybersecurity advisory highlights defense-in-depth strategies

4 min read - In 2023, the Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team operation against an FCEB (Federal Civilian Executive Branch) organization. In July 2024, CISA released a new CSA that detailed the findings of this assessment along with key findings relevant to the security of the organization’s network.One of the interesting findings of this SILENTSHIELD assessment was the renewed importance placed on defense-in-depth strategies. This was determined after the FCEB organization failed to respond effectively to the network breach…

September 19, 2024

CISA chief AI officer follow-up: Current state of the role (and where it’s heading)

4 min read - At the beginning of August, CISA announced that it had appointed Lisa Einstein, Senior Advisor of its artificial intelligence division, as its new chief AI officer. This announcement came following several new initiatives in the last couple of years focused on gaining a clearer understanding of the potential security impacts of AI.With the National Cybersecurity Strategy and the supporting National Cybersecurity Strategy Implementation Plan still evolving, there has been increased awareness of the value of organizations establishing an executive seat…

September 18, 2024

Cybersecurity risks in healthcare are an ongoing crisis

4 min read - While healthcare providers have been implementing technical, administrative and physical safeguards related to patient information, they have not been as diligent in securing their medical devices. These devices are critical to patient care and can leave hospitals at risk for cyberattacks, causing major disruptions to patient care. In fact, 88 million individuals were affected by large breaches, compromising vast amounts of electronic protected health information (ePHI) last year according to the U.S. Department of Health & Human Services. This year,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature