Investigating_1¶
Beginning¶
The initial contact was via text:
The URL: https[://]legalkp.com/XXX.php?p=bkXXXXX
On this page shows:
If you click on this URL it will take you to another suspicious looking URL:
https[://]bailliny[.]com/wDuAqOTjETq3Eoj5Lk4ONddwWyZfmzU7MxfxNoWgYkjfaF9MPpzrQulMJptfRpoC8Y4PYYHUuesu9UJ0ae_Dag~~/jnXXXXX
Note
I used the tor browser behind a VPN and a browser sandbox in order to stay safe when investigating and you should too.
To see what was on this page (and to avoid any potential drive-by-dowloads) I ran this cURL command.
I also made sure to spoof my user-agent as any compotent malware developer would block a cURL user-agent.
This is the command I ran:
curl -A “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36” -X GET https[://]bailliny[.]com/wDuAqOTjETq3Eoj5Lk4ONddwWyZfmzU7MxfxNoWgYkjfaF9MPpzrQulMJptfRpoC8Y4PYYHUuesu9UJ0ae_Dag~~/jnXXXXX
Now this returns basic HTML:
<script type="text/javascript">
window.location.href = "https[://]ablehast[.]com/AQXBgTb_Si5QB2idspWBA9MYrDLoWW38J2Z5M1AtnS8eOA-1E7rXobU-iF37BFeo04r8Eg2sEmYohZGuHCmRrQ~~/540359/494415125/jnXXXXX"
</script>
Now lets see where this takes us, Ill run a similar cURL command to see what gets returned.
This gives us another link:
<script type="text/javascript">
window.location.href = "https[://]benefit.benefitreliefs[.]com/l/tpl43/1/?wid=98fed6f9-0337-44e2-985b-0e6833cd941e&br=1&s1=540850&s2=494431184&s3=540850"
</script>
Note
At this point I realized something interesting. Three of the URLs (starting after the first one) had the same string at the end: jnXXXXX. (partially censored) I also noticed the initial URL had a ‘p’ paramater which could have also been used to track each victem individually.