After the excitement of our .MOBI research, we were left twiddling our thumbs. As you may recall, in 2024, we demonstrated the impact of an unregistered domain when we subverted the TLS/SSL CA process for verifying domain ownership to give ourselves the ability to issue valid and trusted TLS/
The .mobi was a previous post where they bought the expired domain which was previously used by the .mobi WHOIS server.
A bunch of systems apparently didn’t update their WHOIS database and still tried to get WHOIS information from the old domain.
This could lead to RCE in some implementations if they provided a malicious response.
A bunch of CAs also accessed the old domain and use WHOIS to verify domain ownership. By setting their own email address for verification, they could have issued themselves a certificate for any .mobi domain (microsoft.mobi, google.mobi for examle).
Now to this article, here they looked at a bunch of webshells with backdoors added by the developers. Some of the domains had expired, so by getting those domains and setting up a webserver they got connections from different systems infected by the malware. They could have used the same backdoor previously used by the devs to access those same systems remotely and do whatever.
Thanks mate!