Bangaly Koita

Bangaly Koita is a SOC Analyst and Cyber Security researcher . As a passionate in cyber security, he spends most of the time writing articles and making videos online to share his knowledge and experience to the vast community of IT but in general Cyber Security. Feel free to contact me in case.

Main News

Scammers created thousand of fake websites mimicking Telegram

Bangaly Koita 2 days ago

A large phishing campaign against Telegram was detected.

The threat actors created thousand of websites mimicking Telegram.

At the time of writing, thousand of users are impacted.

The impact could lead to data theft such as PII, Financial lost and further.

Most of the phishing domains are hosted under CLOUDFLARENET.

CLOUDFLARE is offering free features such as fastest DNS resolver, Delivery Network (CDN), Free SSL certificate

which makes the service the best choice for threat actors to compromise the user, the user must enter his/her PII as a newly register user. Once done, the data will be sent to the malicious server and stored.

The certificates used on the domains are either from Google Trust Services WE1 or CLOUDFLARE, INC. Cloudflare TLS Issuing ECC CA 1, with the availability time set between 2025–03–20–2025–06–18 which means that the phishing domains might stay longer than expected .

Taking a precaution such as taking down the domains will be the best approach to protect the users.

Some of the Phishing domains:

elegeqwt[.]kim

telegmvev[.]lat

telegtrwe[.]kim

telegcmzb[.]hair

telegzmcb[.]lat

telegzcmz[.]hair

telegqtre[.]monster

telegzmbc[.]icu

telegbzmc[.]lat

telegmexv[.]icu

telegwrte[.]monster

telegwret[.]monster

telegbzmc[.]lat

telegmexv[.]icu

telegwrte[.]monster

telegwret[.]monster

telegrrm[.]fans

telegwrqt[.]monster

telegqtre[.]ren

telegjhgk[.]cam

telegrwtq[.]ren

Recommendations:

The domains should be taken down.

Blocked the domains if visible within your environment.

In case a user clicked on any domain, reset the user’s password.

For those who use Telegram, activate 2FA on Telegram.

Set up a password policy

In case a user entered financial information such Bank account number (Contact your bank and change the information ASAP)

Scan the host to ensure that no malicious payload was downloaded.

Main News

Malicious ConnectWise Control application downloaded in the wild

Bangaly Koita 2 weeks ago

ConnectWise ScreenConnect is a self-hosted remote desktop software application. The tool is used by thousand of people, Companies, businesses around the world.

As a well-known tool, abusing it, could help the threat actor to compromised many systems and organization by gaining unauthorized access to the computer or environment.

The malicious application is called ConnectWise Control 23.2.9.8466. Quite similar to the naming convention used by ConnectWise ScreenConnect application.

The malicious tool is available from the website krscreenconnect[.]com.

At the time of writing, the tool been downloaded by many users and organizations.

The domain name is quite new:

The domain is newly created:

Dates 50 days old

Created on 2025–01–26

Expires on 2026–01–26

Updated on 2025–01–26

Hosted on dedicated server with the IP address 192.159.99.10.

The application is available to download after connecting to the website via the link: hxxps://krscreenconnect[.]com/bin/support.client.exe?i&e=Support&y=Guest&r.

To fully investigate the application, we used couple of tools such as app any run, Virus total, urlscan, Domaintools, Censys.

First of all, we wanted to have the hash of the executable file “support.client.exe” or see what is behind the URL. To achieve that, we used: Search — urlscan.io

we got the following details:

A second technic we used was to run the URL via VirusTotal to get the Hash:

We got the same hash as we got from URLSCAN:

As you may know, Censys ( Censys Search will end on March 31, 2025) is one of the best tool to get more details about an IP address. Using Censys, we got:

192.159.99.10 — Host Summary — Censys

The unique IP 192.159.99.10 link to the domain in question:

On the port HTTP 443, a romote access ConnectWise Control 23.2.9.8466 is available.

We decided to run the executable file through app any run to be able to analyse it in the sandbox: https://app.any.run/browses/78c73b3d-b38e-48cd-813e-9d4b1883cb0c

After running the executable file, we found out that the file is digitally signed by ConnectWise LLC since 2023. Which look strange but possible.

While analysing the executable file, we found one interesintg indicator

The file name : C:\Users\jmorgan\Source\cwcontrol\Misc\Bootstrapper\Release\ClickOnceRunner.pdb

following the ImportsHash: 7631a79a9071099fa4803e1c4c5df207

We found out that the Hash of the file is quite famous through Google search:

By checking the information from: MalwareBazaar | SHA256 d4b396874b63841713f83aecb7b3bf6e19b068f246c950cbdbb08bdafb394763 (ConnectWise)

We found very interesting details

The information found is the confirmation that the executable file is digitally signed by Connectwise, LLC.

To finalize our investigation, we checked the payload after execution

If you are already familiar with malware analysis, you may notice some suspicious functions used such as :

LoadLibraryA

GetCurrentProcess

TerminateProcess

CreateFileW

GetProcAddress

HeapAlloc

WriteFile

ExitProcess

HeapReAllo

The functions are usually used for code injection to hide the executable file from the EDR or Anti-Virus engine.

We can already limit here our investigation and come to the conclusion that the file is a malware and you should not run it.

The usage of the digitally signed certificate from is out of scope (if you want to know ask them ahhh).

We found many others malicious executable files using the signed certificate from the company: MalwareBazaar | Browse malware samples.

Which means that you should always check any application signed by this organization.

If you already notice such activity within your organization, the following measure should be taken as fast as possible:

Change the user password.

Re-image the host impacted.

Perform the full analyze on the host to detect any C2 or Persistency or privilege escalation method used.

Block the URL or domain.

Block the IOCs Hash.

Main News

Tesla website impersonated by threat actors

Bangaly Koita 3 weeks ago

We have detected several websites impersonating Tesla’s company. The activity could lead to data leak, lost of revenues, lost of clients.

The threats actors created several websites as they are from Tesla. The websites are are offering Logistics for World's Multinational Companies.

At the time of writing, many companies of third parties might be felt into this malicious activity.

We have provided full investigation of the websites created, you can enjoy with the full details below.

The threats actors created some domains with the keyword “elonmusk”, “tesla” to trick the users as the website is coming from Telsa.

elonmuskdelivery[.]com

Dates 17 days old

Created on 2025–02–17

Expires on 2026–02–17

Updated on 2025–02–26

2. tesladeliveryservice[.]online

Dates 7 days old

Created on 2025–02–27

Expires on 2026–02–27

Updated on 2025–02–28

3. TeslaDeliveryCorp[.]icu

Dates 5 days old

Created on 2025–03–01

Expires on 2026–03–01

Updated on 2025–03–01

The domains are on CLOUDFLARE.COM.

4. TesLadt[.]com

55 days old

Created on 2025–01–11

Expires on 2026–01–11

Updated on 2025–01–11

The domains are newly created and do not belong to Tesla Organization.

The websites contains the Tesla logo used to trick the users to trust the websites which could be considered as Trademarks issue.

Tesla has his own website for delivery services which can be found at https://www.tesla.com/support/taking-delivery.

At the end, we may conclude tat the websites are not trusted and they should be taken over.

Main News

Google Meet typosquat by threat actors

Bangaly Koita 1 month ago

Google Meet is an application used by million of people around the globe. The application is used by Companies, Schools, Universities, Governments, people and others.

As such a big platform, the impact of impersonation could be very devastating.

We found many domains impersonating Google Meet to trick the users to enter their credentials or to download the fake Google Meet to compromise their system.

The fake Google Meet contains the link or pop up to download the Google Meet application or Extension in the browser. By installing the fake Google Meet, the user will install a malicious payload that will be executed to compromise the system.

At the time of writing, many Companies, Schools, Universities, Governments, others are already compromised.

The impact can lead to data theft or even ransomware.

Please follow our recommendations:

Check your environment to detect the malicious domains:

google-meet-account[.]com

google-meetings[.]com

accountmeet-google[.]com

meet.gooqle-view. [.]com

meet.google[.]com

Blocked all those domains

Provide user awareness and training to the user

Bookmark the correct URL Google Meet for yours users (https://workspace.google.com/products/meet/)

In case you see such domain within your organization perform a full investigation on the host that was in touch with one of the domain by scanning the host and searching for any persistency behavior or C2 activity.

Change the user impacted credentials and re-image the host.

What is OSINT ?

Bangaly Koita 2 months ago

OSINT means Open-Source Intelligence. It is a set of tools that are available for everyone and everywhere.

OSINT is used in many different areas such as:

Cyber Threat Intelligence
Human Intelligence
Political Intelligence
Journalist Intelligence
And others.

OSINT allows to collect any type of data available online and analyze it. The OSINT cycle is:

Data collection
Data Analysis
Report (Documentation and Recommendations)

The OSINT Report depends on which area you are using OSINT. For example in Cyber Threat Intelligence (Why do we need a Cyber Threat Intelligence? - osintafrica), OSINT report can be writing following one of the models CYBER KILL CHAIN or The Diamond Model of Intrusion Analysis, more details about the models can be found here Three attacks frameworks that Cyber Security members should know osintafrica.

OSINT framework tools are available and easy to find online.

Some of them are:

OSINT Framework

Tools - Start.me

My OSINT Training's Tools

Advantages of using OSINT:

OSINT has many advantages such as many applications are free and accessible online, data available anywhere but the most important for us, are the following:

Detect Threats
Vulnerabilities
Information lookup
Data breached identification

Anything that has advantages, has inconveniences as well.

OSINT does have some.

OSINT Inconveniences:

Data can be query by anyone online

PII data accessible online

Vulnerability and threats are identifiable online

Data breached data are accessible on different platform (Dark Web, Hacking forum , OSINT tools and others ..).

OSINT tools can be vectors of attack.

The privacy concerning OSINT , the privacy concerns is quite similar to GDPR regulation requirements, such as collecting only information related to your investigation, having authorization to collect the data (PII or IP) and others.

OSINT is very useful, like said before, the tools are available for anyone to use. You can start using it by looking up some information related to your self. Do not forget about Privacy related to OSINT.

Main News

Windows files system you should never whitelist in your environment

Bangaly Koita 5 months ago

If you are working in SOC as SOC Analyst or Incident Response, Threat Hunters, Threat Intelligence Analyst, you might be facing with whitelisting and blacklisting already.

Whitelisting consists of allowing access within your environment. In SOC term, when you whitelist a file or command, it won’t show up in the alert, which could be very dangerous as you might not see the malicious activities triggering.

Blacklisting consists of blocking access within your environment.

Whitelisting and Blacklisting are usually done by tools such as EDR, SIEM, Antivirus and other.

You should be very careful while doing any of those, as it might cause several damages to your organization.

Below, we will describe some of the Windows files system that you should never whitelist within your environment.

First of all, let’s start by the folder C:\WINDOWS\system32\ . The folder is used by Windows OS to hold systems files and folders. Most of the files we will be discussing today, are in this folder.

Mshta.exe: Is an utility that executes Microsoft HTML Applications (HTA) files. HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. Attacker can use the command as System Binary Proxy Execution to execute malicious code directly from a remote server to bypass application control and browser security.

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility (https://attack.mitre.org/techniques/T1218/005 ).

Cmd.exe: command-line interpreter for Windows, many threat actor run the malicious command from command-line interpreter to compromise the system, to exfiltrate data and others

utilman.exe: The file is associated with the Utility Manager application of Windows. Can be used to monitor an application and give access to useful UI settings within Windows.

Svhost.exe: Used to host Windows services, malware can use the file to hide itself from the Antivirus or the detection engine.

Microsoft Shortcut File (LNK): The file is used to link various types of information such as files, network shares, can be used by a malware to execute a malicious file located in a remote environment.

powershell.exe: It is a command line tool used to manage and automate tasks in the Windows operating system. The tools can be used to exploit the system by creating a script.

msiexec.exe: It is used to install, modify, and perform operations on Windows Installer (MSI (Windows Installer Package)) from the command line.

services.exe: Is the Windows service control manager, it controls all the services. It can be used by a malware to start and stop a malicious service.

fodhelper.exe: Used for managing language changes in the operating system. It can be used by adversaries to bypass User Account Control and execute additional commands with escalated privileges.

dllhost.exe: It is used to host and execute DLLs. The process is used to host COM (Component Object Model) object. It can be used by malware to execute a fake DLL code.

rundll32.exe: It is used to give the access to the developers to create functions stored separately as a DLL file. It can be used my malware to run a DLL file to perform a malicious activity.

BCDEdit.exe: It can be used to verify the new stores, modifying existing stores, and adding boot menu options. It can be used by malware to modify the boot loader configurations.

regsvr32.exe: It is used to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry. It can be used by malware to store malicious file or key in the registry.

WMIC: It is a deprecated command-line interface working with Windows Management Instrumentation to manage data and operations on a Windows. The tool is deprecated and not available in PowerShell 6+. The tool can be used to provide users information from the remote computer.

PowerShell: It is an automation configuration tool. It can be used to deploy, test, build solution. The tool is quite often used by malware to deploy on the system and compromised.

userinit.exe: It is a is a program that restores the profile, fonts, colors for a user. It can be used by malware to add a program.

Schtaske.exe: It is used for performing a task scheduling task, maybe used by threat actors for the execution of malicious code.

taskhostw.exe: The file is used by Windows 10 as a host for processes that execute as part of a DLL file. It can be used to monitor applications, keyboard, mouse activities. A threat actor can used that to perform malicious activities.

wsmprovhost.exe to identify remote connection related to WINRM or PowerShell

Vssadmin: Used to display the volume shadow copy backups and installed shadow copy writers and providers. The threat actor can leverage to perform it to delete or copy the data backup, resize it (anti forensic technic) to destroy the evidence.

Mstsc.exe Creates and edit connections to Remote Desktop Session Host servers or other remote computers.

In conclusion, it is required to always check the file perform suspicious activity. You might know that some activities might be legitimate, for example activities performed by the admin. You need to know how to differentiate those normal activities from the malicious one. Checking the file location, the file hash, and signature will be a good starting point to detect a malicious file.

Main News

New update in URLSCAN to detect malicious domains

Bangaly Koita 8 months ago

If you are following our blog Home Home - osintafrica, you already know the tool URL and website scanner - urlscan.io, click on https://www.osintafrica.net/how-to-use-urlscan-part1/ for more details.

The best tools always need improvement and urlscan.io is one of those. The tool has done some improvements that can help an Analyst to perform faster and more efficiently the investigation on phishing website mimicking an organization.

Let’s have a look at the new improvements.

The tool introduced two great features (Favicon hash detection based and the HTTP post request detection) which can be used to detect phishing website mimicking an organization and credentials harvesting domain.

To better understand that, lets practice a bit.

Detecting a website mimicking Netflix using the FAVICON HASH ANALYSIS

A Favicon is the website icon, it helps to visually represent a website and to distinguish between open tabs or search results.

A favicon contains a hash, a hash of a favicon can be used to detect similar website.

The feature has been introduced into urlscan.io to make it easier for the Analyst to quickly perform his or her investigation.

Example 1:

We will connect to urlscan.io and use a domain mimicking NETFLIX website, we will use the favicon hash to find similar website.

Let’s do it.

Connect to https://urlscan.io/result/fb90e947-db87-4476-924d-5db678a50acd/#transactions

Click on the “HTTP” button in blue, type (crtl F - favicon), scroll down, click on the hash and open in a new tab, you will see the result.

Example 2: Detect website mimicking Microsoft.com.

https://urlscan.io/result/b4cf2f17-ebee-47b4-b85e-f63eae623ec4/#transactions

click on the hash and open in a new tab, you will see the result.

Detecting a credential harvesting domain using HTTP POST request detection based.

A credentials harvest is when a threat actor sends a phishing link to user, once the user clicks and enters his/her credentials, the credentials will be sent to another domain, where they will be stored by the threat actor which will be used to impersonate the user or sell via the Dark web. This technic is commonly used against organizations that use the cloud as a service such as Microsoft O365

Let’s give an example, we have detected a maldomain mimicking Microsoft login, when a user enters the credentials, the credentials will be sent to hxxps://robertreed1313[.]xyz/next.php

Click on the link:

https://urlscan.io/result/e25dc1e1-9ab7-491c-94a8-20aec6eba2d8/#transactions

As you see in the image, there is “HTTP POST” request which is an indication of data being sent to another URL in this case (hxxps://robertreed1313[.]xyz/next.php)

Let’s give another example to better understand it.

Another maldomian mimicking Microsoft login website:

fattykins.za.com - urlscan.io

Let’s show the last example

ron-marom12.github.io - urlscan.io

Maldomain mimicking Netflix website login.

NB: Be careful while checking the domains, always check with Virustotal and check if the domain is newly created before making a decision.

Do you know that we can use URLSCAN to find maldomains or typo squatting domains mimicking our organization?

We will try to find domains name similar to Microsoft.com

Connect to urlscan.io, go to search – type: page.domain:( page.domain:(microsoft.com~ AND NOT microsoft.com))

Search - urlscan.io

Like you see, URLSCAN has improved a lot; by using the tool, you can save a lot of times during your investigation. Feel free to start using the tool https://urlscan.io/.

Main News

How to securely open a file

Bangaly Koita 1 year ago

Working as malware analyzer or SOC analyst or Incident responder or Journalist or Governmental investigator, you may need sometimes or often to open a file from the internet or email address or any other source possible to receive a file.

As you may know, one of the easier ways for the threat actor to compromise someone is to send him or her a malicious file that look like a legitimate one. This issue been for decade and still is one of the most efficient ways to target the users.

The best way to securely open any file is to have your own SANDBOX (automatic or manual sandbox) that may check the file before opening it. However, if you do not have enough resources to implement a sandbox, you still can use online tools to open a file securely.

It worth mentioning that opening a confidential file or highly sensitive file using online tools could lead to data leak. Be careful always before you use a tool to open a file online. The best option is to use a tool that you can download offline and use.

In the upcoming line, we will share some tools that you can use online to view the file content without the risk of being compromised.

DANGERZONE

Dangerzone allow a user to open dangerous PDFs, office documents, images and convert them to safe PDFs.

Dangerzone: Convert potentially dangerous documents into safe PDFs

Pdffiller

An online tool to open a PDF file online.

https://www.pdffiller.com/

Google Drive

You can use Google Drive to open a file without harming you.

For example, when you receive a message from Gmail containing an attachment, you can add the attachment to Google Drive and view it. By doing it that, you avoid your system from being infected if the file is malicious.

https://drive.google.com/

Onlinedocumentviewer

The tool can be used to open different files formats such as office packages files, pdf and others.

https://onlinedocumentviewer.com/

Dropbox

You can use Dropbox to open a file without damaging your computer.

Dropbox.com

They are many tools that you can use online to view a file but the inconveniency can raise. For example, the confidential file share online can fall in the hand of other people. If you upload a malicious file via online tool, another person that gets in touch and open the file on his system can be infected. Always be careful before you open a file online and download any file from the file viewer sources.

Main News

Payoutproject[.]com the biggest scam ever on social media Facebook, twitter, TikTok, Instagram

Bangaly Koita 1 year ago

A big scam is going on social medias. At the time of writing, thousands of people were scammed and the number is growing.

The Payoutproject website is a marketing company located in the United States of America. The owner affirms that the members will be awarded after doing some tasks and activities which are given to them.

Many people already complained about the fake business. Unfortunately, the scam business is still growing up around the world.

As always, I love such investigation, I will share with you, how I investigated the fake business and the outcome after.

First of all, I checked the website via webarchive.org (https://web.archive.org/web/20230402014918/https://payoutproject.com/)

Like you see, the website is well design and will attract many visitors, let’s read the “Home page”.

We can see some information about the website and how we can be rewarded and get paid after performing some tasks. Well, I will be rich now 😊.

One important thing on the Home page is “There is no any fee, no any membership fee and no any paid thing. All is free... The main thing is your passion to the completion of task and promote to the friends”

Many people will register to gain money fast because the is very easy and fast.

I scrolled over the website, and found out that they are operating in many socials’ medias such as Facebook, Instagram, Twitter, TikTok.

As many scammers are usually on Facebook, I went through Facebook.com and I found on Facebook that someone published a post about the business (for privacy reason I won’t publish the name). I checked the profile of the user and found some suspicious comments scams and others social engineering threat. That was my first hit.

I found out that the post published by the user is getting more attention and is being viewed by millions of people following with thousands of comments.

At this point, we can see that the scam is word wide and many people are already impacted and will be impacted by this malicious activity.

Now, let’s reviews people feedback about the website via search engine online such as Chrome.

There are many reviews about the website, let’s detailed some of the reviews:

https://www.cloudbooklet.com/entertainment/is-payoutproject-scam-or-legit

2. https://www.scamadviser.com/check-website/payoutproject.com?utm_content=cmp-true

3. https://ie.trustpilot.com/review/payoutproject.com

Like you see in the comments from different websites, most of people who commented agreed on one thing, the website is a scam, after investing in the website, the money grow and never received the money back.

Back on the website, you can see the payment methods available to invest and be paid later.

This method can be used by the scammers to steal your sensitive data, so if you already created an account and used your PII or any sensitive data removed and changed your sensitive data and password if you used the same in any other account.

The websites mentioned the top payouts countries using the application

In you are located in any of the location mentioned above, inform your authority about the scam.

Always verify such business before using it. The best option will be to avoid such online business.

Main News

How to use a proxy server for free over the internet

Bangaly Koita 1 year ago

A proxy server is used to protect the network for the following reasons:

Preventing the users to connect to malicious websites

Protecting the company web application by preventing any malicious request that can be used to compromised it

Act as intermediary between the private network and the internet

Can be used to hide the user’s location

In our example, we will show how you can use a proxy server own by another organization to hide your identity or change your location in order to connect to different web application restricted by the government or the authority.

Over the internet, there are many proxy servers that don’t require any authentication to be used. We will use one of those to show how we can take advantage of it to achieve our goal.

SPYS

HTTPS proxy list, HTTP proxy with SSL support, free SSL proxy servers (spys.one)

The website is collecting different types of proxy on daily basis. We will use this website to find a proxy server that fits our needs.

Go to “HTTPS/SSL proxy” choose one proxy with the HTTPS protocol. In our case we choose the proxy server located in Turkey (Cankaya)

Once we find the proper one, now we can start our configuration.

2. CONFIGURATION MODE

In this example, we will use the browser Mozilla.

Open the browser

We need a tool to configure the proxy server. We will install the tool FoxyProxy to manage the proxy.

After the installation, the tool will be embedded in Mozilla, click on the “extension” toolbar

The application will be listed, click on “option”, go to “proxies’ menu”

Now, you can start the configuration.

Like you see above, we choose the configuration details from the proxy server “Turkey”, we put all the setting from the proxy.

The last thing to do is to configure our browser

Type in the browser search button: about:preferences#searchResults

Type the IP address and port and chose the HTTPS protocol

Once done, we can check if the configuration works fine.

https://getfoxyproxy.org/geoip/

As you see, the location is visible. We can now connect to social media or any other website not restricted in this area.

NB One important thing to mention is that when you use a proxy server from a third party, all you information are passing through his server and know that, it is also not legal to use a proxy server without authorization.

You may have missed