2024-04-04 (THURSDAY) KOI LOADER/STEALER ACTIVITY

REFERENCES:

NOTES:

  • Based on the date of these zip archives, this wave started on 2024-04-02

INFECTION CHAIN:

  • zip archive –> Windows shortcut –> traffic to install malware –> post-infection C2

2 EXAMPLES OF ZIP ARCHIVES, MODIFIED:

  • 3e150b3a958f67da3a821e468c3f3f72b4404dfba207158343589eab24c0074a Chase_Bank_Statement_March.zip
  • 69bd5f29178b163082d9114ac996c5fc631700042348c07025905a172910d194 Chase_Bank_Statement_March.zip

2 MALICIOUS WINDOWS SHORTCUTS FROM THE ABOVE ZIP ARCHIVES:

  • 4f1a84d8a870a63bc255303d47f86a604b4233a97a49f4f26fc9b958d94ed24f Chase_Bank_Statement_March.lnk
  • a6b75518b8e82e0990fd3510e803c76afdf56fe205c4bed27b74263f33e74aea Chase_Bank_Statement_March.lnk

URLS/FILES FOR MALWARE INSTALL IN ORDER OF APPEARENCE IN THE TRAFFIC (FROM OPEN DIRECTORY):

  • hxxps[:]//saidecommunity[.]org/assets/js/menkind.php
  • hxxps[:]//saidecommunity[.]org/assets/js/meningina.php
  • hxxps[:]//saidecommunity[.]org/assets/js/agent1.ps1
  • hxxps[:]//saidecommunity[.]org/assets/js/agent3.ps1
  • hxxps[:]//saidecommunity[.]org/assets/js/mendipite.exe
  • hxxps[:]//saidecommunity[.]org/assets/js/sd2.ps1
  • hxxps[:]//saidecommunity[.]org/assets/js/sd4.ps1

FILES FROM THE ABOVE URLS:

  • e1a02fabd6c23c16aa0d95bcffa2578fe008f003a293941e9db426ee4ae30b3a menkind.php
  • 00d029276eff4aa93ef5b736f2cc8e01658d1d9dcabf0356e32248c63c3b0222 meningina.php
  • 8020e944bea4e2c2d8d3a95abd805b68c0627b4e7a7a14812df8e714a9321f45 agent1.ps1
  • c90dda7e0bd8f2947160f8ab3825897df4f2e4a36498ca5016db6db0c7164311 agent3.ps1
  • 97b7cf5bf4cadde3bd8745e3347bb9707a43cb816f21a062eaf3010b6768a551 mendipite.exe
  • cf3727cbc326f0d37c0adf0c1d13e97d6723d767c43236a7fe2a71169ce4e030 sd2.ps1
  • aac338d4f543a930e5f464042d43a616d3ce972aa4568648f981d34664b97709 sd4.ps1

DECODED BINARIES FROM SD2.PS1 AND SD4.PS1:

  • 001e9bd6b2aebb2b089ceb8ebe1488c66765c10d365ceffa77d67cedecea8c33 decoded EXE from sd2.ps1 script (pg20.exe)
  • 5c8186097677ae054afe689a14394b4171fcea8172d419842157de07f2b42fda decoded EXE from sd4.ps1 script (pg40.exe)

POST-INFECTION/C2 TRAFFIC:

  • 195.123.218[.]40 port 80 – 195.123.218[.]40 – POST /fougade.php
  • 195.123.218[.]40 port 80 – 195.123.218[.]40 – GET /index.php?id=&subid=Xtxgn5mh
  • 195.123.218[.]40 port 80 – 195.123.218[.]40 – POST /index.php

“Possible” MITRE Technique and Procedure:

Initial Access

  • T1566 Phishing: The initial delivery of the zip archive via phishing emails. This technique often involves convincing the target to open a malicious attachment or link.
    • T1566.002 Phishing: Spearphishing Attachment: Specifically, when the phishing attempt involves sending a zip file as an attachment to the target.

Execution

  • T1204 User Execution: The user is tricked into executing the malicious content. In this scenario, the user executes the Windows shortcut (.lnk file) extracted from the zip archive.
    • T1204.002 User Execution: Malicious File: Opening the Windows shortcut file directly leads to the execution of the malicious payload.

Defense Evasion

  • T1027 Obfuscated Files or Information: Using a zip archive to hide the true nature of the .lnk file and potentially the final payload to evade detection by security tools.
  • T1140 Deobfuscate/Decode Files or Information: The malicious payload may be obfuscated or encoded within the .lnk file and only decoded/executed upon user interaction.
  • T1036 Masquerading: The Windows shortcut (.lnk) file may masquerade as a legitimate file or link to deceive the user into executing it.

Command and Control

  • T1071 Application Layer Protocol: Malicious traffic generated by the shortcut to download/install further malware. This could involve the use of web protocols for communication with a remote server to fetch additional payloads.
    • T1071.001 Application Layer Protocol: Web Protocols: Utilizing HTTP/HTTPS for communication with the command and control (C2) server to download additional malware components.
  • T1105 Ingress Tool Transfer: After initial execution, the malware downloads additional tools or payloads from a command and control server to the compromised host.