This morning I wanted to write a short post on a phishing site, which was also poorly made, but which using IPFS could be a little more interesting than the others.
The site is an attack (targeted or not I don’t know) against some company that wants to become a supplier to the US government. The URL is: hxxps://gsa.gov.bid-network-integration-authenticate.sapt[.]sa
Matrix had identified the threat in the morning
When I tried to access the content on IPFS from my laboratory network (in Italy) I was in for a surprise: access to the Cloudflare gateway to IPFS is blocked by Italian providers with the explanation that it contains child pornography!
I can understand someone’s difficulty in understanding the technology, I can understand the lack of funds to invest in research, but censoring an emerging technology like this is truly third world country!
Obviously using TOR the powerful censorship is avoided in a minute and I can finally access.
Let’s put aside the attack that sucks and doesn’t even work at the moment, but what approach is it to block an entire world because you don’t understand it? I know that in Italy there are many nostalgic for that idiot Mussolini, but here it seems that someone is even nostalgic for the Middle Ages!
Today I’ll tell you about an attack detected a few hours ago by Matrix and reported on urlscan.io.
This is a fairly complex attack against Zoom. The attackers registered on Namecheap a domain (us06webzoomus[.]pro) reminiscent of Zoom subdomains and deployed a series of files.
Here we find three malware (Android and Windows), static content (scripts, images, etc.), a batch for Windows using Powershell.
The contents are in Russian.
If I find the time I will update the article with details about the malware, if I don’t find the time, anyway you know not to run these executables 🙂
Domain Name: DOMIN-REMOTE.ONLINE Registry Domain ID: D424887618-CNIC Registrar WHOIS Server: whois.hostinger.com Registrar URL: https://www.hostinger.com/ Updated Date: 2024-01-15T10:57:55.0Z Creation Date: 2024-01-15T10:57:50.0Z Registry Expiry Date: 2025-01-15T23:59:59.0Z Registrar: HOSTINGER operations, UAB Registrar IANA ID: 1636 Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: addPeriod https://icann.org/epp#addPeriod Registrant Organization: Privacy Protect, LLC (PrivacyProtect.org) Registrant State/Province: MA Registrant Country: US Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: NS6.NL.HOSTSAILOR.COM Name Server: NS5.NL.HOSTSAILOR.COM DNSSEC: unsigned Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registrar Abuse Contact Email: domains@hostinger.com Registrar Abuse Contact Phone: +370.68424669 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2024-01-16T17:42:53.0Z <<<
For more information on Whois status codes, please visit https://icann.org/epp
>>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit https://www.centralnic.com/support/rdap <<<
The Whois and RDAP services are provided by CentralNic, and contain information pertaining to Internet domain names registered by our our customers. By using this service you are agreeing (1) not to use any information presented here for any purpose other than determining ownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processes to obtain data from this service. Abuse of this service is monitored and actions in contravention of these terms will result in being permanently blacklisted. All data is (c) CentralNic Ltd (https://www.centralnic.com)
Access to the Whois and RDAP services is rate limited. For more information, visit https://registrar-console.centralnic.com/pub/whois_guidance.
Here you can download the zip file containing everything.
This is the beginning of the attack from which it is possible to download the PHP sources (sorry for “PHP” 😉 ) and the malware for Android, used for the attack.
The malware is a RAT and the sources represent its C2.
The C2 code is simple and was probably written by a person with little experience, even if he defines himself as a “hacker” while I see him more as a “newbie” with little hope.
Inside you will find everything you need, keys, logs, other domains involved, in short, if anyone has more time than me and wants to find out more, let me know, maybe they could collaborate on this article and enrich it 🙂
Given that the Iranian regime disgusts me, as does every theocracy, I dedicate time to this kit because it has interesting features and because I think that we all owe solidarity to the Iranian population, persecuted by a fascist regime.
After this introduction, let’s move on to this kit. Matrix downloaded it from the e-h-r-a-z-c[.]org domain around 9pm today (January 14, 2023). The domain was registered via hostinger.com
At the time of writing this article (about two hours have passed since the kit was found) the web site is inactive.
Inside the kit there are the PHP sources that make up the phishing site and a malware for Android.
The kit targets customers of several banks.
In the PHP sources we find the token to which the stolen credentials are sent.
The site is not listed on urlscan.io because at the time of the notification the site was already offline. I can say we downloaded the kit at the last second 🙂
The main goal of the attack was to install malware. This can also be deduced from the cloaking mechanism which redirects all non-Android devices to the cyber police website which deals with cyber security.
A new tool launched in recent days has made it possible to quickly detect an attack based on various .best domains. Matrix had reported these domains on urlscan.io several hours ago.
From the evidence gathered in recent minutes, it appears that the attack targeted customers of the US bank America First Credit Union.
Today I downloaded a phishing kit hosted by cPanel, intended to scam BBVA customers.
The kit is a 2022 panel.
Very often the kits downloaded from cPanel are written in Italian, regardless of the company targeted. During this period I also noticed how these criminals operate during office hours and seem to operate in the Italian time zone.
Given the importance of Italian organized crime and the necessary structure to collect the fruits of this type of fraud, perhaps one might think that Italian organized crime has opened its own IT department?
In recent days I have noticed that many sites related to the situation in Palestine are being created, especially many sites asking to support the Palestinian population with donations or purchases of material.
There are certainly many people who try to help using the Internet, but many are taking advantage of this tragedy to scam people who want to help those who are suffering.
Wanting to give an example of a suspicious site, I started taking a look at this site “impact-palestine.com”.
The domain was registered two days ago.
I don’t take the HTTPS certificate into consideration because it might be normal to use a certificate of this type for a voluntary association.
The name of the site recalls that of IMPACT initiatives (https://www.impact-initiatives.org/). The text is in English but in some places there are texts in Russian.
We read about funds raised…
… but their wallet says otherwise.
It is also noted as asking for donations only via cryptocurrencies.
The links to their alleged social accounts lead to accounts of other well-known associations or to non-existent accounts.
After Twitter blocked my account I moved to Urlscan.io where Johannes welcomed and supported me very kindly. I was able to appreciate the platform and today we reached the milestone of one million submissions made.
After more than 400,000 tweets, the blue bird platform suspended my account for violating the counterfeit goods rules.
I’ve decided to move the publishing of reports to urlscan.io.
In the new release I made some changes to the publishing platform, the main one for users is that now sites that don’t have a default page are also published. These are the so-called “opendir”.
Emiliano Carlesi's blog 
You must be logged in to post a comment.