Bangaly Koita

Bangaly Koita is a SOC Analyst and Cyber Security researcher . As a passionate in cyber security, he spends most of the time writing articles and making videos online to share his knowledge and experience to the vast community of IT but in general Cyber Security. Feel free to contact me in case.

What is OSINT ?

Bangaly Koita 2 weeks ago

OSINT means Open-Source Intelligence. It is a set of tools that are available for everyone and everywhere.

OSINT is used in many different areas such as:

Cyber Threat Intelligence
Human Intelligence
Political Intelligence
Journalist Intelligence
And others.

OSINT allows to collect any type of data available online and analyze it. The OSINT cycle is:

Data collection
Data Analysis
Report (Documentation and Recommendations)

The OSINT Report depends on which area you are using OSINT. For example in Cyber Threat Intelligence (Why do we need a Cyber Threat Intelligence? - osintafrica), OSINT report can be writing following one of the models CYBER KILL CHAIN or The Diamond Model of Intrusion Analysis, more details about the models can be found here Three attacks frameworks that Cyber Security members should know osintafrica.

OSINT framework tools are available and easy to find online.

Some of them are:

OSINT Framework

Tools - Start.me

My OSINT Training's Tools

Advantages of using OSINT:

OSINT has many advantages such as many applications are free and accessible online, data available anywhere but the most important for us, are the following:

Detect Threats
Vulnerabilities
Information lookup
Data breached identification

Anything that has advantages, has inconveniences as well.

OSINT does have some.

OSINT Inconveniences:

Data can be query by anyone online

PII data accessible online

Vulnerability and threats are identifiable online

Data breached data are accessible on different platform (Dark Web, Hacking forum , OSINT tools and others ..).

OSINT tools can be vectors of attack.

The privacy concerning OSINT , the privacy concerns is quite similar to GDPR regulation requirements, such as collecting only information related to your investigation, having authorization to collect the data (PII or IP) and others.

OSINT is very useful, like said before, the tools are available for anyone to use. You can start using it by looking up some information related to your self. Do not forget about Privacy related to OSINT.

Main News

Windows files system you should never whitelist in your environment

Bangaly Koita 4 months ago

If you are working in SOC as SOC Analyst or Incident Response, Threat Hunters, Threat Intelligence Analyst, you might be facing with whitelisting and blacklisting already.

Whitelisting consists of allowing access within your environment. In SOC term, when you whitelist a file or command, it won’t show up in the alert, which could be very dangerous as you might not see the malicious activities triggering.

Blacklisting consists of blocking access within your environment.

Whitelisting and Blacklisting are usually done by tools such as EDR, SIEM, Antivirus and other.

You should be very careful while doing any of those, as it might cause several damages to your organization.

Below, we will describe some of the Windows files system that you should never whitelist within your environment.

First of all, let’s start by the folder C:\WINDOWS\system32\ . The folder is used by Windows OS to hold systems files and folders. Most of the files we will be discussing today, are in this folder.

Mshta.exe: Is an utility that executes Microsoft HTML Applications (HTA) files. HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. Attacker can use the command as System Binary Proxy Execution to execute malicious code directly from a remote server to bypass application control and browser security.

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility (https://attack.mitre.org/techniques/T1218/005 ).

Cmd.exe: command-line interpreter for Windows, many threat actor run the malicious command from command-line interpreter to compromise the system, to exfiltrate data and others

utilman.exe: The file is associated with the Utility Manager application of Windows. Can be used to monitor an application and give access to useful UI settings within Windows.

Svhost.exe: Used to host Windows services, malware can use the file to hide itself from the Antivirus or the detection engine.

Microsoft Shortcut File (LNK): The file is used to link various types of information such as files, network shares, can be used by a malware to execute a malicious file located in a remote environment.

powershell.exe: It is a command line tool used to manage and automate tasks in the Windows operating system. The tools can be used to exploit the system by creating a script.

msiexec.exe: It is used to install, modify, and perform operations on Windows Installer (MSI (Windows Installer Package)) from the command line.

services.exe: Is the Windows service control manager, it controls all the services. It can be used by a malware to start and stop a malicious service.

fodhelper.exe: Used for managing language changes in the operating system. It can be used by adversaries to bypass User Account Control and execute additional commands with escalated privileges.

dllhost.exe: It is used to host and execute DLLs. The process is used to host COM (Component Object Model) object. It can be used by malware to execute a fake DLL code.

rundll32.exe: It is used to give the access to the developers to create functions stored separately as a DLL file. It can be used my malware to run a DLL file to perform a malicious activity.

BCDEdit.exe: It can be used to verify the new stores, modifying existing stores, and adding boot menu options. It can be used by malware to modify the boot loader configurations.

regsvr32.exe: It is used to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry. It can be used by malware to store malicious file or key in the registry.

WMIC: It is a deprecated command-line interface working with Windows Management Instrumentation to manage data and operations on a Windows. The tool is deprecated and not available in PowerShell 6+. The tool can be used to provide users information from the remote computer.

PowerShell: It is an automation configuration tool. It can be used to deploy, test, build solution. The tool is quite often used by malware to deploy on the system and compromised.

userinit.exe: It is a is a program that restores the profile, fonts, colors for a user. It can be used by malware to add a program.

Schtaske.exe: It is used for performing a task scheduling task, maybe used by threat actors for the execution of malicious code.

taskhostw.exe: The file is used by Windows 10 as a host for processes that execute as part of a DLL file. It can be used to monitor applications, keyboard, mouse activities. A threat actor can used that to perform malicious activities.

wsmprovhost.exe to identify remote connection related to WINRM or PowerShell

Vssadmin: Used to display the volume shadow copy backups and installed shadow copy writers and providers. The threat actor can leverage to perform it to delete or copy the data backup, resize it (anti forensic technic) to destroy the evidence.

Mstsc.exe Creates and edit connections to Remote Desktop Session Host servers or other remote computers.

In conclusion, it is required to always check the file perform suspicious activity. You might know that some activities might be legitimate, for example activities performed by the admin. You need to know how to differentiate those normal activities from the malicious one. Checking the file location, the file hash, and signature will be a good starting point to detect a malicious file.

Main News

New update in URLSCAN to detect malicious domains

Bangaly Koita 7 months ago

If you are following our blog Home Home - osintafrica, you already know the tool URL and website scanner - urlscan.io, click on https://www.osintafrica.net/how-to-use-urlscan-part1/ for more details.

The best tools always need improvement and urlscan.io is one of those. The tool has done some improvements that can help an Analyst to perform faster and more efficiently the investigation on phishing website mimicking an organization.

Let’s have a look at the new improvements.

The tool introduced two great features (Favicon hash detection based and the HTTP post request detection) which can be used to detect phishing website mimicking an organization and credentials harvesting domain.

To better understand that, lets practice a bit.

Detecting a website mimicking Netflix using the FAVICON HASH ANALYSIS

A Favicon is the website icon, it helps to visually represent a website and to distinguish between open tabs or search results.

A favicon contains a hash, a hash of a favicon can be used to detect similar website.

The feature has been introduced into urlscan.io to make it easier for the Analyst to quickly perform his or her investigation.

Example 1:

We will connect to urlscan.io and use a domain mimicking NETFLIX website, we will use the favicon hash to find similar website.

Let’s do it.

Connect to https://urlscan.io/result/fb90e947-db87-4476-924d-5db678a50acd/#transactions

Click on the “HTTP” button in blue, type (crtl F - favicon), scroll down, click on the hash and open in a new tab, you will see the result.

Example 2: Detect website mimicking Microsoft.com.

https://urlscan.io/result/b4cf2f17-ebee-47b4-b85e-f63eae623ec4/#transactions

click on the hash and open in a new tab, you will see the result.

Detecting a credential harvesting domain using HTTP POST request detection based.

A credentials harvest is when a threat actor sends a phishing link to user, once the user clicks and enters his/her credentials, the credentials will be sent to another domain, where they will be stored by the threat actor which will be used to impersonate the user or sell via the Dark web. This technic is commonly used against organizations that use the cloud as a service such as Microsoft O365

Let’s give an example, we have detected a maldomain mimicking Microsoft login, when a user enters the credentials, the credentials will be sent to hxxps://robertreed1313[.]xyz/next.php

Click on the link:

https://urlscan.io/result/e25dc1e1-9ab7-491c-94a8-20aec6eba2d8/#transactions

As you see in the image, there is “HTTP POST” request which is an indication of data being sent to another URL in this case (hxxps://robertreed1313[.]xyz/next.php)

Let’s give another example to better understand it.

Another maldomian mimicking Microsoft login website:

fattykins.za.com - urlscan.io

Let’s show the last example

ron-marom12.github.io - urlscan.io

Maldomain mimicking Netflix website login.

NB: Be careful while checking the domains, always check with Virustotal and check if the domain is newly created before making a decision.

Do you know that we can use URLSCAN to find maldomains or typo squatting domains mimicking our organization?

We will try to find domains name similar to Microsoft.com

Connect to urlscan.io, go to search – type: page.domain:( page.domain:(microsoft.com~ AND NOT microsoft.com))

Search - urlscan.io

Like you see, URLSCAN has improved a lot; by using the tool, you can save a lot of times during your investigation. Feel free to start using the tool https://urlscan.io/.

Main News

How to securely open a file

Bangaly Koita 11 months ago

Working as malware analyzer or SOC analyst or Incident responder or Journalist or Governmental investigator, you may need sometimes or often to open a file from the internet or email address or any other source possible to receive a file.

As you may know, one of the easier ways for the threat actor to compromise someone is to send him or her a malicious file that look like a legitimate one. This issue been for decade and still is one of the most efficient ways to target the users.

The best way to securely open any file is to have your own SANDBOX (automatic or manual sandbox) that may check the file before opening it. However, if you do not have enough resources to implement a sandbox, you still can use online tools to open a file securely.

It worth mentioning that opening a confidential file or highly sensitive file using online tools could lead to data leak. Be careful always before you use a tool to open a file online. The best option is to use a tool that you can download offline and use.

In the upcoming line, we will share some tools that you can use online to view the file content without the risk of being compromised.

DANGERZONE

Dangerzone allow a user to open dangerous PDFs, office documents, images and convert them to safe PDFs.

Dangerzone: Convert potentially dangerous documents into safe PDFs

Pdffiller

An online tool to open a PDF file online.

https://www.pdffiller.com/

Google Drive

You can use Google Drive to open a file without harming you.

For example, when you receive a message from Gmail containing an attachment, you can add the attachment to Google Drive and view it. By doing it that, you avoid your system from being infected if the file is malicious.

https://drive.google.com/

Onlinedocumentviewer

The tool can be used to open different files formats such as office packages files, pdf and others.

https://onlinedocumentviewer.com/

Dropbox

You can use Dropbox to open a file without damaging your computer.

Dropbox.com

They are many tools that you can use online to view a file but the inconveniency can raise. For example, the confidential file share online can fall in the hand of other people. If you upload a malicious file via online tool, another person that gets in touch and open the file on his system can be infected. Always be careful before you open a file online and download any file from the file viewer sources.

Main News

Payoutproject[.]com the biggest scam ever on social media Facebook, twitter, TikTok, Instagram

Bangaly Koita 1 year ago

A big scam is going on social medias. At the time of writing, thousands of people were scammed and the number is growing.

The Payoutproject website is a marketing company located in the United States of America. The owner affirms that the members will be awarded after doing some tasks and activities which are given to them.

Many people already complained about the fake business. Unfortunately, the scam business is still growing up around the world.

As always, I love such investigation, I will share with you, how I investigated the fake business and the outcome after.

First of all, I checked the website via webarchive.org (https://web.archive.org/web/20230402014918/https://payoutproject.com/)

Like you see, the website is well design and will attract many visitors, let’s read the “Home page”.

We can see some information about the website and how we can be rewarded and get paid after performing some tasks. Well, I will be rich now 😊.

One important thing on the Home page is “There is no any fee, no any membership fee and no any paid thing. All is free... The main thing is your passion to the completion of task and promote to the friends”

Many people will register to gain money fast because the is very easy and fast.

I scrolled over the website, and found out that they are operating in many socials’ medias such as Facebook, Instagram, Twitter, TikTok.

As many scammers are usually on Facebook, I went through Facebook.com and I found on Facebook that someone published a post about the business (for privacy reason I won’t publish the name). I checked the profile of the user and found some suspicious comments scams and others social engineering threat. That was my first hit.

I found out that the post published by the user is getting more attention and is being viewed by millions of people following with thousands of comments.

At this point, we can see that the scam is word wide and many people are already impacted and will be impacted by this malicious activity.

Now, let’s reviews people feedback about the website via search engine online such as Chrome.

There are many reviews about the website, let’s detailed some of the reviews:

https://www.cloudbooklet.com/entertainment/is-payoutproject-scam-or-legit

2. https://www.scamadviser.com/check-website/payoutproject.com?utm_content=cmp-true

3. https://ie.trustpilot.com/review/payoutproject.com

Like you see in the comments from different websites, most of people who commented agreed on one thing, the website is a scam, after investing in the website, the money grow and never received the money back.

Back on the website, you can see the payment methods available to invest and be paid later.

This method can be used by the scammers to steal your sensitive data, so if you already created an account and used your PII or any sensitive data removed and changed your sensitive data and password if you used the same in any other account.

The websites mentioned the top payouts countries using the application

In you are located in any of the location mentioned above, inform your authority about the scam.

Always verify such business before using it. The best option will be to avoid such online business.

Main News

How to use a proxy server for free over the internet

Bangaly Koita 1 year ago

A proxy server is used to protect the network for the following reasons:

Preventing the users to connect to malicious websites

Protecting the company web application by preventing any malicious request that can be used to compromised it

Act as intermediary between the private network and the internet

Can be used to hide the user’s location

In our example, we will show how you can use a proxy server own by another organization to hide your identity or change your location in order to connect to different web application restricted by the government or the authority.

Over the internet, there are many proxy servers that don’t require any authentication to be used. We will use one of those to show how we can take advantage of it to achieve our goal.

SPYS

HTTPS proxy list, HTTP proxy with SSL support, free SSL proxy servers (spys.one)

The website is collecting different types of proxy on daily basis. We will use this website to find a proxy server that fits our needs.

Go to “HTTPS/SSL proxy” choose one proxy with the HTTPS protocol. In our case we choose the proxy server located in Turkey (Cankaya)

Once we find the proper one, now we can start our configuration.

2. CONFIGURATION MODE

In this example, we will use the browser Mozilla.

Open the browser

We need a tool to configure the proxy server. We will install the tool FoxyProxy to manage the proxy.

After the installation, the tool will be embedded in Mozilla, click on the “extension” toolbar

The application will be listed, click on “option”, go to “proxies’ menu”

Now, you can start the configuration.

Like you see above, we choose the configuration details from the proxy server “Turkey”, we put all the setting from the proxy.

The last thing to do is to configure our browser

Type in the browser search button: about:preferences#searchResults

Type the IP address and port and chose the HTTPS protocol

Once done, we can check if the configuration works fine.

https://getfoxyproxy.org/geoip/

As you see, the location is visible. We can now connect to social media or any other website not restricted in this area.

NB One important thing to mention is that when you use a proxy server from a third party, all you information are passing through his server and know that, it is also not legal to use a proxy server without authorization.

Main News

Top Windows Events ID Security Operation Teams should know

Bangaly Koita 1 year ago

Every second, they are thousands of logs being generated from different sources (Proxy, Firewall, End Point, servers, Router, Switch, Email server, Active Directory, IDS/IPS …) and store in a log management tool or SIEM. As an analyst, without a proper way of filtering the events it is almost not possible to detect a threat.

The easiest and most efficient way to analyze the events in windows environment is to look for the proper event id that matches to the alert. The event ID will help you to find faster and accurately the proper event you are looking for and make you investigation much easier.

Below, we share with you the Windows events ID that have the highest percentage of occurrence in the network.

WINDOWS event ID 4624 An account was successfully logged on:
The event is generated when a user’s account logged onto the local computer (can be generated after one or more log on failed attempt followed by one successful attempt). It is used to detect different attacks unauthorized log on in the network.

WINDOWS event ID 4625 An account failed to log on:

The event is generated when a user account’s failed to log on (can be generated after one or more log on failed attempt). It is used to detect different attacks unauthorized log on failed in the network.

WINDOWS event ID 1102 The audit log was cleared:

The audit log can be cleared by the admin or by a threat actor to remove the trace, this technic is often used by threat actor as anti-forensic technic to make to investigation more complex.

WINDOWS event ID 4688 A new process has been created:

The event is generated when a process is created, Windows OS has many processes so seeing a process being created does not mean that you are under attack but most of the threat actor used the Windows processes or mimic the Windows processes to perform an attack. Monitoring a new process being created is crucial.

WINDOWS event ID 4698 A scheduled task was created:

Similarly, to the event ID 4688, the event ID 4698 could be used by the admin to perform a specific task regularly or used by a threat actor for persistency or privilege escalation. Monitoring a scheduled task being created is crucial.

WINDOWS event ID 4657 A registry value was modified:

Always when a new file, process, scheduled task or any other activity is performed in the network, it is recorded in the registry. A threat actor after running a malicious process, file or scheduled task, can use the registry to add a key that will allow him or her to maintain the persistency. Monitoring any key added in the registry is crucial.

WINDOWS event ID 4704 and event ID 4705 A (A user right was assigned and A user right was removed)

This activity is often performed by the admin when the new user is created, but a threat actor can leverage it to perform an attack such as impersonation or privilege escalation.

WINDOWS event ID 4719 A system audit policy was changed:

This may happen when a threat actor does want to hide the activities that he had perform to compromise the system. It worth monitoring to detect when an unauthorized user disables to system audit policy.

WINDOWS event ID 4720 A user account was created, WINDOWS event ID 4740 A user account was locked, WINDOWS event ID 4741 A computer account was created:

The following events IDs mentioned above are quite important, any activity on an account such as account creation, changed, locked, deleted should be monitored. The threat actor can create a new account as a backdoor and delete after performing the attack.

Windows event ID 4723 An attempt was made to change an account's password and Windows event ID 4724 An attempt was made to reset an accounts password:

An unauthorized password change should not be accepted in the environment. This issue can lead to further damage such as privilege escalation, data loss and others.

Windows event ID 4768 A Kerberos authentication ticket (TGT) was requested, Windows event ID 4769 A Kerberos service ticket was requested, Windows event ID 4771 Kerberos pre-authentication failed:

A Kerberos protocol is used to access to the network. The protocol can be abuse by threat actor to connect to the network and perform malicious activities. For example, in Windows environment, Kerberos is used to authenticate and authorized the users to connect in Active Directory.

The threat actor after the initial compromise phase, can abuse Kerberos to perform attack such as kerberoasting or pass the ticket to escalate from one privilege to another. The events ID related to Kerberos should be monitored.

Windows event ID 4787 A non-member was added to a basic application group, Windows event ID 4788 A non-member was removed from a basic application group:

A non-member added or removed to another group could be a sign of administrative activity or attack, a threat actor can add a new user in a group to maintain a foothold. A that actor can remove a member added previously to remove the foothold. Any new member added or removed should be monitored. If the activity is not allowed, further investigation should be provided.

Windows event ID 4946 A change has been made to Windows Firewall exception list. A rule was added:

Any new rule created should be verified if allowed or not. A threat actor can create a rule to redirect a connection to a malicious server or to connect to a specific target such as AD, Database and others.

For example, if a threat actor compromises a web server, he or she can make a change to the firewall to connect to the database server.

Windows event ID 5140 A network share object was accessed and Windows event ID 5142 A network share object was added:

It is common to see a threat actor accessing a network share and execute a malicious command to get high privilege or exfiltrate data. Monitoring the network share is worthy.

Windows event ID 4663 An attempt was made to access an object:

A threat actor can enumerate an object with “write” right to access to the object. This is done to get higher privilege.

Windows event ID 4608 Windows is starting up:

At the time of starting, a threat actor can corrupt the system by uploading a malicious payload. A system booting or starting should be a good point to monitor.

Windows Security Log Encyclopedia (ultimatewindowssecurity.com)

Sysmon - Sysinternals | Microsoft Learn

windows 10 - How to find specifics of what Defender detected in real time protection? - Super User

Main News

Facebook user impersonated by scammers to target small businesses in German speaking countries

Bangaly Koita 1 year ago

Facebook became the Eldorado of the scammers; every day thousands of people are reporting the account lost issue. This is due to the fact that most of people are not aware of this attack. The small businesses are one of one most important target for the scammers. It is not the first time, we have reported scammers impersonating Facebook’s user to redirect a user to authenticate to a wrong Facebook page and it won’t be the last.

Let’s break the scenario down.

The scammer sends thousands of messages to many users and small businesses containing a link.

The scammer is waiting for the user to click on the link and enter the password.

Once this is done, the user loses his or her account.

The message looks usually like this:

The malicious link at the end of the message on which the user should click.

As you see, the malicious link is visible after the Facebook link, this is done by the scammer to trick the user to click and enter the credentials to the wrong Facebook website.

The following link is very hard to detect with many open-source engines.

We used the tool “Browserling” that showed us the redirect link which is not available at the moment.

We can check it also from the Open-source tool “Cyber-chef”. First, take the URL after the Facebook.com and paste it into the tool.

Now that the redirect link is available, we can check the link from Virus-total

From Virus total, click on “Details” to get more information about the domain.

We found out that the domain is newly created:

History

First Submission

2023-10-23 21:27:58 UTC

Last Submission

2023-10-23 21:27:58 UTC

Last Analysis

2023-10-23 21:27:58 UTC

At this point, we are pretty sure that the link is not from Facebook and is a malink or maldomain.

Recommendation:

Use 2FA

Check when you received a suspicious link or domain like we described here before clicking on it.

In case you entered your password, as soon as possible, connect to your account and change your password as fast as possible and check if there is any new device created and removed.

IOCs:

faeboser-storyresver19849[.]io[.]vn

103.18.7.159

Main News

Fake free iPhone 15 Pro world wide scam targeting users around the world

Bangaly Koita 1 year ago

Our Threat Intelligence team has detected a massive scamming campaign targeting users around the world.

The threat actors has created many similar websites to target many users, the message has been already sent to thousand of users.

AS you see below, the scammers are using a deceptive method to achieve their goal.

First of all, let’s have a look at the message body:

Subject: Your opportunity to get an iPhone 15 Pro for FREE.

In the picture above, the user received the message saying that he or she has been selected to receive a new iPhone 15 PRO. This kind of scam is very deceptive. Most of the users will click on the link.

There is a link behind the red button “Click to get started” on which the user should click to receive the reward.

Link: hxxps://storage.googleapis[.]com/hatrioua/hreflink.html#?Z289MSZzMT0xNzA0MzE2JnMyPTEwNDUxOTQ3NCZzMz1HTEI=

Once you click on the link, you are redirected to another link.

Browserling - Live interactive cross-browser testing

Elusivesnads[.]com

As you see on the picture above, there is a survey available before you get the reward. After passing the survey, you are redirected to another website to ship the reward.

All the goods on the website are free, you need to pay only for the shipment which almost costs 10 Euro.

This technic usually works because most of users will be attracted by the offer. The amount of money for the shipment comparing to the real price of the good is nothing. Once the shipment is paid, the good will never arrive.

The threat actors created many domains to target more users and make more difficult to stop the attack.

Some domains related to the same issues:

Launchers[.]world

Wedgesplash[.]bio

Bindingsol[.]com

Znaperload[.]com

Spinninghats[.]world

Scanstrings[.]org

Aquariumpine[.]com

Yataganmon[.]com

Slightroads[.]com

Kompratutino[.]live

Newcrames[.]com

The domains are newly created and registered between different service providers such as Google, Amazon, CLOUDFLARENET, DFW-DATACENTER and others.

Thousand of people are being scammed every day. The best way to reduce the risk of being scammed is to check the website always when you receive such message before you connect on it.

Tools to verify website reputation:

https://www.virustotal.com/

https://app.any.run/

https://urlscan.io/

https://sitereview.bluecoat.com/

https://safeweb.norton.com/

Google Search Google

Main News

Scammers are targeting the French fines authorities website

Bangaly Koita 1 year ago

The website https://www.amendes.gouv.fr is the only governmental website for online payment of fines issued by the French authorities.

The website contains confidential, PII, financial information and others. In case of any data stolen or breached; it could cause several damages.

I found out many suspicious domains mimicking the website. The suspicious domains are located in different location through the world.

Let’s share with you the investigation.

Some suspicious domains:

amende-gouv-login[.]fr

amende-pv-service[.]com

antai-gouv-amendes[.]net

antais-gouv[.]com

xn--rglementamendes-bnb[.]fr Puny réglementamendes[.]fr

servicesamendes[.]info

ksocampaign[.]com

the domains mentioned above are some of the domains mimicking the online fines payment.

Among those domains, the domain ksocampaign[.]com paid my attention.

While investigating, I found the following email address “yakuzahn2.gmail.com” in the DNS OSA records which could be the administrator email address.

ksocampaign.com - Current DNS records and Full DNS Report (securitytrails.com)

I took the email address and checked through Google search and the information below was found.

Like you see, the email address is associated to a website used to unlock the websites that were hacked by the Iranian Locker group.

dhs.edu.bt - urlscan.io

At this point, we came to the following conclusion:

The domain ksocampaign[.]com might belong to the Iranian threat actor or the person behind the email address “yakuzahn2.gmail.com”.

The intention of the threat actor behind the phishing campaign or the threat actor mimicking the online payment website is to get the users credentials and credit cards information from the users.

You may have missed