A little while ago I came across this website: hxxps://domin-remote[.]online

The domain was registered yesterday via hostinger. To date it has not been reported.

Matrix reported it on urlscan.io 15 hours ago.

Domain Name: DOMIN-REMOTE.ONLINE
Registry Domain ID: D424887618-CNIC
Registrar WHOIS Server: whois.hostinger.com
Registrar URL: https://www.hostinger.com/
Updated Date: 2024-01-15T10:57:55.0Z
Creation Date: 2024-01-15T10:57:50.0Z
Registry Expiry Date: 2025-01-15T23:59:59.0Z
Registrar: HOSTINGER operations, UAB
Registrar IANA ID: 1636
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registrant Organization: Privacy Protect, LLC (PrivacyProtect.org)
Registrant State/Province: MA
Registrant Country: US
Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Name Server: NS6.NL.HOSTSAILOR.COM
Name Server: NS5.NL.HOSTSAILOR.COM
DNSSEC: unsigned
Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Registrar Abuse Contact Email: domains@hostinger.com
Registrar Abuse Contact Phone: +370.68424669
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2024-01-16T17:42:53.0Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

>>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit
https://www.centralnic.com/support/rdap <<<

The Whois and RDAP services are provided by CentralNic, and contain
information pertaining to Internet domain names registered by our
our customers. By using this service you are agreeing (1) not to use any
information presented here for any purpose other than determining
ownership of domain names, (2) not to store or reproduce this data in
any way, (3) not to use any high-volume, automated, electronic processes
to obtain data from this service. Abuse of this service is monitored and
actions in contravention of these terms will result in being permanently
blacklisted. All data is (c) CentralNic Ltd (https://www.centralnic.com)

Access to the Whois and RDAP services is rate limited. For more
information, visit https://registrar-console.centralnic.com/pub/whois_guidance.

Here you can download the zip file containing everything.

This is the beginning of the attack from which it is possible to download the PHP sources (sorry for “PHP” 😉 ) and the malware for Android, used for the attack.

The malware is a RAT and the sources represent its C2.

The C2 code is simple and was probably written by a person with little experience, even if he defines himself as a “hacker” while I see him more as a “newbie” with little hope.

Inside you will find everything you need, keys, logs, other domains involved, in short, if anyone has more time than me and wants to find out more, let me know, maybe they could collaborate on this article and enrich it 🙂

Given that the Iranian regime disgusts me, as does every theocracy, I dedicate time to this kit because it has interesting features and because I think that we all owe solidarity to the Iranian population, persecuted by a fascist regime.

After this introduction, let’s move on to this kit. Matrix downloaded it from the e-h-r-a-z-c[.]org domain around 9pm today (January 14, 2023). The domain was registered via hostinger.com

At the time of writing this article (about two hours have passed since the kit was found) the web site is inactive.

Inside the kit there are the PHP sources that make up the phishing site and a malware for Android.

The kit targets customers of several banks.

In the PHP sources we find the token to which the stolen credentials are sent.

The site is not listed on urlscan.io because at the time of the notification the site was already offline. I can say we downloaded the kit at the last second 🙂

The main goal of the attack was to install malware. This can also be deduced from the cloaking mechanism which redirects all non-Android devices to the cyber police website which deals with cyber security.

These domains were registered last week but the scripts have only now been uploaded. This seems like suspicious behavior to me…

• hxxp://marqatha[.]com
• hxxp://marqrdha[.]com
• hxxp://vaiqsant[.]com
• hxxp://vaiqbant[.]com
• hxxp://mawqreha[.]com
• hxxp://vazxant[.]com
• hxxp://marqrxha[.]com
• hxxp://marqreha[.]com

Today I downloaded a phishing kit hosted by cPanel, intended to scam BBVA customers.

The kit is a 2022 panel.

Very often the kits downloaded from cPanel are written in Italian, regardless of the company targeted. During this period I also noticed how these criminals operate during office hours and seem to operate in the Italian time zone.

Given the importance of Italian organized crime and the necessary structure to collect the fruits of this type of fraud, perhaps one might think that Italian organized crime has opened its own IT department?

In recent days I have noticed that many sites related to the situation in Palestine are being created, especially many sites asking to support the Palestinian population with donations or purchases of material.

There are certainly many people who try to help using the Internet, but many are taking advantage of this tragedy to scam people who want to help those who are suffering.

Wanting to give an example of a suspicious site, I started taking a look at this site “impact-palestine.com”.

The domain was registered two days ago.

I don’t take the HTTPS certificate into consideration because it might be normal to use a certificate of this type for a voluntary association.

The name of the site recalls that of IMPACT initiatives (https://www.impact-initiatives.org/). The text is in English but in some places there are texts in Russian.

We read about funds raised…

… but their wallet says otherwise.

It is also noted as asking for donations only via cryptocurrencies.

The links to their alleged social accounts lead to accounts of other well-known associations or to non-existent accounts.

If you are able and willing to help, I suggest you rely on well-known associations. For example https://www.amnesty.org/en/ or https://www.savethechildren.net/