Keypoints
- Campaign began ~2024-04-02 and delivered malicious ZIP archives (e.g., Chase_Bank_Statement_March.zip) containing Windows shortcut (.lnk) files.
- Infection chain: ZIP archive → Windows shortcut execution → HTTP downloads of scripts/binaries → post-infection C2 communication.
- Malicious hosting observed on saidecommunity[.]org under /assets/js/ serving PHP, PS1, and EXE files (e.g., menkind.php, agent1.ps1, mendipite.exe).
- Multiple file hashes identified for delivered artifacts, including PowerShell scripts (agent1.ps1, sd2.ps1, sd4.ps1) and EXEs (mendipite.exe; decoded pg20.exe, pg40.exe).
- Decoded binaries from sd2.ps1 and sd4.ps1 produced distinct executables (pg20.exe and pg40.exe) with unique hashes, indicating staged retrieval and decoding.
- Post-infection C2 communications observed to 195.123.218[.]40 with POST /fougade.php and GET/POST to /index.php endpoints.
- Techniques used align with phishing delivery, user execution of malicious files, obfuscation/decoding, masquerading, HTTP-based C2, and ingress tool transfer.
MITRE Techniques
- [T1566] Phishing – Initial delivery used malicious ZIP attachments; quoted evidence: ‘zip archive –> Windows shortcut –> traffic to install malware –> post-infection C2’
- [T1566.002] Phishing: Spearphishing Attachment – ZIP file sent as an attachment carrying the .lnk file; quoted evidence: ‘sending a zip file as an attachment to the target.’
- [T1204] User Execution – Execution required user action to open the .lnk file extracted from the archive; quoted evidence: ‘The user is tricked into executing the malicious content.’
- [T1204.002] User Execution: Malicious File – The Windows shortcut (.lnk) directly led to payload execution; quoted evidence: ‘Opening the Windows shortcut file directly leads to the execution of the malicious payload.’
- [T1027] Obfuscated Files or Information – Artifacts were hidden in ZIPs and scripts to evade detection; quoted evidence: ‘Using a zip archive to hide the true nature of the .lnk file and potentially the final payload to evade detection by security tools.’
- [T1140] Deobfuscate/Decode Files or Information – PowerShell scripts (sd2.ps1, sd4.ps1) decoded embedded binaries (pg20.exe, pg40.exe); quoted evidence: ‘The malicious payload may be obfuscated or encoded within the .lnk file and only decoded/executed upon user interaction.’
- [T1036] Masquerading – Shortcut and archive names (e.g., Chase_Bank_Statement_March.lnk) used to impersonate benign documents; quoted evidence: ‘The Windows shortcut (.lnk) file may masquerade as a legitimate file or link to deceive the user into executing it.’
- [T1071] Application Layer Protocol – HTTP used to download scripts/binaries and communicate with C2; quoted evidence: ‘Malicious traffic generated by the shortcut to download/install further malware.’
- [T1071.001] Web Protocols – Use of HTTP(S) endpoints on saidecommunity[.]org to fetch payloads and interact with C2; quoted evidence: ‘Utilizing HTTP/HTTPS for communication with the command and control (C2) server to download additional malware components.’
- [T1105] Ingress Tool Transfer – Additional tools and executables were retrieved from the remote server after initial execution (e.g., mendipite.exe, decoded EXEs); quoted evidence: ‘After initial execution, the malware downloads additional tools or payloads from a command and control server to the compromised host.’
Indicators of Compromise
- [File Hash] Delivered archive and artifact hashes – 3e150b3a958f67da3a821e468c3f3f72b4404dfba207158343589eab24c0074a (Chase_Bank_Statement_March.zip), 4f1a84d8a870a63bc255303d47f86a604b4233a97a49f4f26fc9b958d94ed24f (Chase_Bank_Statement_March.lnk), and 11 more hashes.
- [File Hash] Files fetched from host – 97b7cf5bf4cadde3bd8745e3347bb9707a43cb816f21a062eaf3010b6768a551 (mendipite.exe), 001e9bd6b2aebb2b089ceb8ebe1488c66765c10d365ceffa77d67cedecea8c33 (decoded pg20.exe).
- [Filename] Malicious filenames observed – Chase_Bank_Statement_March.lnk, mendipite.exe, sd2.ps1, sd4.ps1 (used in decoding and executing payloads).
- [URL/Domain] Hosting and download URLs – hxxps[:]//saidecommunity[.]org/assets/js/menkind.php, hxxps[:]//saidecommunity[.]org/assets/js/mendipite.exe, and 5 more paths on the same domain.
- [IP Address] Command-and-control endpoints – 195.123.218[.]40 seen in POST /fougade.php and GET/POST to /index.php (post-infection C2 traffic).
Malicious actors distributed ZIP archives (notably named to mimic bank statements) containing Windows shortcut (.lnk) files that, when executed by the user, initiated HTTP requests to a public web directory on saidecommunity[.]org. The hosted resources included PHP and PowerShell scripts (menkind.php, agent1.ps1, agent3.ps1, sd2.ps1, sd4.ps1) and an initial executable (mendipite.exe); hashes for these artifacts were documented for detection and triage.
Two PowerShell scripts (sd2.ps1 and sd4.ps1) decoded embedded payloads into distinct EXEs (pg20.exe and pg40.exe), indicating a staged delivery where scripts retrieve/construct final binaries on the host. Observed workflow: user opens LNK → PowerShell/script execution → download/decode of binaries → execution of decoded EXEs. Relevant artifact examples include mendipite.exe and the decoded EXE hashes (pg20.exe, pg40.exe).
Post-infection activity involved HTTP-based C2 to 195.123.218[.]40 with observed endpoints POST /fougade.php and GET/POST to /index.php (with parameters such as id=&subid=). Detection and response should focus on blocking the saidecommunity[.]org paths, the identified file hashes, monitoring for .lnk execution from user directories, and network indicators pointing to 195.123.218[.]40.