APT-K-47 Uses Hajj-Themed Lures to Deliver Advanced Asyncshell Malware

Avatar
The threat actor known as Mysterious Elephant has been observed using an advanced version of malware called Asyncshell. The attack campaign is said to have used Hajj-themed lures to trick victims into executing a malicious payload under the guise of a Microsoft Compiled HTML Help (CHM) file, the Knownsec 404 team said in an analysis published today. Mysterious Elephant, which is also known as

The threat actor known as Mysterious Elephant has been observed using an advanced version of malware called Asynshell.

The attack campaign is said to have used Hajj-themed lures to trick victims into executing a malicious payload under the guise of a Microsoft Compiled HTML Help (CHM) file, the Knownsec 404 team said in an analysis published today.

Mysterious Elephant, which is also known as APT-K-47, is a threat actor of South Asian origin that has been active since at least 2022, primarily targeting Pakistani entities.

The group’s tactics and tooling have been found to share similarities with those of other threat actors operating in the regions, such as SideWinder, Confucius, and Bitter.

In October 2023, the group was linked to a spear-phishing campaign that delivered a backdoor called ORPCBackdoor as part of attacks directed against Pakistan and other countries.

The exact initial access vector employed by Mysterious Elephant in the latest campaign is not known, but it likely involves the use of phishing emails. The method leads to the delivery of a ZIP archive file that contains two files: a CHM file that claims to be about the Hajj policy in 2024 and a hidden executable file.

When the CHM is launched, it’s used to display a decoy document, a legitimate PDF file hosted on the government of Pakistan’s Ministry of Religious Affairs and Interfaith Harmony website, while the binary is stealthily executed in the background.

A relatively straightforward malware, it’s designed to establish a cmd shell with a remote server, with Knownsec 404 identifying functional overlaps with Asyncshell, another tool the threat actor has repeatedly used since the second half of 2023.

As many as four different versions of Asyncshell have been discovered to date, boasting capabilities to execute cmd and PowerShell commands. Initial attack chains distributing the malware have been found to leverage the WinRAR security flaw (CVE-2023-38831, CVSS score: 7.8) to trigger the infection.

Furthermore, subsequent iterations of the malware have transitioned from using TCP to HTTPS for command-and-control (C2) communications, not to mention making use of an updated attack sequence that employs a Visual Basic Script to show the decoy document and launch it by means of a scheduled task.

“It can be seen that APT-K-47 has frequently used Asyncshell to launch attack activities since 2023, and has gradually upgraded the attack chain and payload code,” the Knownsec 404 team said.

“In recent attack activities, this group has cleverly used disguised service requests to control the final shell server address, changing from the fixed C2 of previous versions to the variable C2, which shows the importance APT-k-47 organization internal places on Asyncshell.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

PyPI Attack: ChatGPT, Claude Impersonators Deliver JarkaStealer via Python Libraries

Next Post

RSA Conference to invest $5 million in sandbox contest finalists

Related Posts

OpenAI Blocks 20 Global Malicious Campaigns Using AI for Cybercrime and Disinformation

OpenAI on Wednesday said it has disrupted more than 20 operations and deceptive networks across the world that attempted to use its platform for malicious purposes since the start of the year. This activity encompassed debugging malware, writing articles for websites, generating biographies for social media accounts, and creating AI-generated profile pictures for fake accounts on X. "Threat
Avatar
Read More

Data on nearly 1 million NHS patients leaked online following ransomware attack on London hospitals

People with symptoms of sensitive medical conditions, including cancer and sexually transmitted infections, are among almost a million individuals who had their personal information published online following a ransomware attack that disrupted NHS hospitals in London earlier this year, according to an analysis shared with Recorded Future News.
Siva Ramakrishnan
Read More