Kuwait Post Themed Phishing Attacks

Noticed a spike in Kuwait Post themed phishing attacks and thus I decided to format and share data that I’ve collected in hopes that it might help fellow researchers.

From what I’ve seen so far, the attack starts with an SMS message, enticing the user to click on a link. Noticed two forms of links:

A shortened link using a url shortening service.
A link to a free website building service.
- The threat actors use this service to build a site which acts like a redirector. I.e., they are using the service as a url shortener.

I am not sure if the same actor is responsible for all the campaigns listed below or if it is multiple threat actors using the same kit. Screenshots and html code can be found in the urlscan reports at the end of the page.

URLs Collected

URL	Description	IP (on date)	Date Spotted
hxxp[://]kwt95876[.]dorik[.]io/	redirects to phishing site	174.138.116.26	2022-02-06
hxxps[://]albakhoom[.]com/kwt/kw[.]php	phishing site	185.197.249.155	2022-02-06
hxxps[://]long[.]af/xzntsi	redirects to phishing site	NA	2022-02-06
hxxps[://]www[.]itcostagrande[.]edu[.]mx/menu_sse_bak/estilos/KW/kw[.]php	phishing site	45.114.225.241	2022-02-06
hxxps[://]kuwaitparcel[.]wonstasite[.]com/track	redirects to phishing site	NA	2022-01-28
hxxps[://]fe652fffe[.]wonstasite[.]com/kwt/kw[.]php	phishing site	34.117.145.14	2022-01-28
hxxp[://]kuwaitpost[.]com[.]u1578788[.]cp[.]regruhosting[.]ru/ar/kuwait/Redsys[.]html	phishing site	31.31.198.249	2022-01-24
hxxp[://]mrmohamedmohamed92-wordpress[.]sloppy[.]zone/kwt/kw[.]php	phishing site	217.24.220.217	2022-01-23
hxxps[://]kuwait-parcel[.]bizwebs[.]com/	redirects to phishing site	83.167.249.7	2022-01-23

Patterns

Noticed smililaries in the url paths of the following domains

Domain	Date Spotted
albakhoom[.]com	2022-02-06
www[.]itcostagrande[.]edu[.]mx	2022-02-06
mrmohamedmohamed92-wordpress[.]sloppy[.]zone	2022-01-23

Url paths can be found below. Again, same phishing kit? same actor? coincidence? no idea.

URL Paths

www[.]itcostagrande[.]edu[.]mx
/menu_sse_bak/estilos/KW/etih/kw[.]php
/menu_sse_bak/estilos/KW/etih/otp[.]php
/menu_sse_bak/estilos/KW/etih/otp2[.]php
/menu_sse_bak/estilos/KW/good[.]php
/menu_sse_bak/estilos/KW/kwt[.]php
/menu_sse_bak/estilos/KW/load[.]php
/menu_sse_bak/estilos/KW/load2[.]php
/menu_sse_bak/estilos/KW/load3[.]php
/menu_sse_bak/estilos/KW/sms[.]php
/menu_sse_bak/estilos/KW/sms2[.]php
/menu_sse_bak/estilos/KW/wait[.]php

albakhoom[.]com
/kwt/good[.]php
/kwt/load3[.]php
/kwt/etih/otp2[.]php
/kwt/sms2[.]php
/kwt/load2[.]php
/kwt/etih/otp[.]php
/kwt/sms[.]php
/kwt/load[.]php
/kwt/etih/kw[.]php

mrmohamedmohamed92-wordpress[.]sloppy[.]zone
/kwt/wait[.]php
/kwt/etih/num[.]php
/kwt/kw[.]php

kuwaitpost[.]com[.]u1578788[.]cp[.]regruhosting[.]ru
/ar/kuwait/Seleccione_medio_de_pago_codigo[.]php
/ar/kuwait/Seleccione_medio_de_pago_codigo[.]php
/ar/kuwait/Seleccione_medio_de_codigo_loading[.]php
/ar/kuwait/pay[.]php
/ar/kuwait/Redsys[.]html

Urlscan Reports

hxxp[://]kwt95876[.]dorik[.]io/
- https://urlscan.io/result/e428f278-0c7b-4ee7-ab4c-0ec8d0f19708/
hxxps[://]albakhoom[.]com/kwt/kw[.]php
- https://urlscan.io/result/e428f278-0c7b-4ee7-ab4c-0ec8d0f19708/
hxxps[://]www[.]itcostagrande[.]edu[.]mx/menu_sse_bak/estilos/KW/kw[.]php
- https://urlscan.io/result/cc8324c0-3bab-445d-be32-87d648101dfd/
- https://urlscan.io/result/4fcdfc34-dd7a-4ec9-9014-48aa6e6427cd/
hxxps[://]kuwaitparcel[.]wonstasite[.]com/track
- https://urlscan.io/result/57dbd83f-229c-441c-9889-12f9ca5788fa/
hxxps[://]fe652fffe[.]wonstasite[.]com/kwt/kw[.]php
- https://urlscan.io/result/57dbd83f-229c-441c-9889-12f9ca5788fa/
hxxp[://]kuwaitpost[.]com[.]u1578788[.]cp[.]regruhosting[.]ru/ar/kuwait/Redsys[.]html
- https://urlscan.io/result/268eb2db-6398-4bc4-aa3b-db8227b4f094/
hxxp[://]mrmohamedmohamed92-wordpress[.]sloppy[.]zone/kwt/kw[.]php
- https://urlscan.io/result/2d8a7be0-10ec-49b2-8278-6eb2ac1bd739/
hxxps[://]kuwait-parcel[.]bizwebs[.]com/
- https://urlscan.io/result/2d8a7be0-10ec-49b2-8278-6eb2ac1bd739/