APT-K-47 Uses Hajj-Themed Lures to Deliver Advanced Asyncshell Malware

### #HajjLures #Asynshell #APT_K47

Summary: The threat actor Mysterious Elephant, also known as APT-K-47, has been utilizing advanced malware called Asynshell in targeted attacks against Pakistani entities, employing Hajj-themed lures to deceive victims. Their tactics include spear-phishing campaigns that deliver malicious payloads disguised as legitimate documents.

Threat Actor: Mysterious Elephant | Mysterious Elephant
Victim: Pakistani entities | Pakistani entities

Key Point :

  • Mysterious Elephant has been active since at least 2022, primarily targeting entities in Pakistan.
  • The group uses Hajj-themed lures to trick victims into executing malicious CHM files.
  • Asynshell malware has multiple versions, capable of executing commands and establishing remote connections.
  • Recent attacks leverage the WinRAR vulnerability (CVE-2023-38831) for initial infection.
  • Malware iterations have shifted from TCP to HTTPS for command-and-control communications.

The threat actor known as Mysterious Elephant has been observed using an advanced version of malware called Asynshell.

The attack campaign is said to have used Hajj-themed lures to trick victims into executing a malicious payload under the guise of a Microsoft Compiled HTML Help (CHM) file, the Knownsec 404 team said in an analysis published today.

Mysterious Elephant, which is also known as APT-K-47, is a threat actor of South Asian origin that has been active since at least 2022, primarily targeting Pakistani entities.

Cybersecurity

The group’s tactics and tooling have been found to share similarities with those of other threat actors operating in the regions, such as SideWinder, Confucius, and Bitter.

In October 2023, the group was linked to a spear-phishing campaign that delivered a backdoor called ORPCBackdoor as part of attacks directed against Pakistan and other countries.

The exact initial access vector employed by Mysterious Elephant in the latest campaign is not known, but it likely involves the use of phishing emails. The method leads to the delivery of a ZIP archive file that contains two files: a CHM file that claims to be about the Hajj policy in 2024 and a hidden executable file.

When the CHM is launched, it’s used to display a decoy document, a legitimate PDF file hosted on the government of Pakistan’s Ministry of Religious Affairs and Interfaith Harmony website, while the binary is stealthily executed in the background.

A relatively straightforward malware, it’s designed to establish a cmd shell with a remote server, with Knownsec 404 identifying functional overlaps with Asyncshell, another tool the threat actor has repeatedly used since the second half of 2023.

As many as four different versions of Asyncshell have been discovered to date, boasting capabilities to execute cmd and PowerShell commands. Initial attack chains distributing the malware have been found to leverage the WinRAR security flaw (CVE-2023-38831, CVSS score: 7.8) to trigger the infection.

Cybersecurity

Furthermore, subsequent iterations of the malware have transitioned from using TCP to HTTPS for command-and-control (C2) communications, not to mention making use of an updated attack sequence that employs a Visual Basic Script to show the decoy document and launch it by means of a scheduled task.

“It can be seen that APT-K-47 has frequently used Asyncshell to launch attack activities since 2023, and has gradually upgraded the attack chain and payload code,” the Knownsec 404 team said.

“In recent attack activities, this group has cleverly used disguised service requests to control the final shell server address, changing from the fixed C2 of previous versions to the variable C2, which shows the importance APT-k-47 organization internal places on Asyncshell.”

Source: https://thehackernews.com/2024/11/apt-k-47-uses-hajj-themed-lures-to.html