APT-K-47 Utilizes Hajj-Related Deception to Distribute Enhanced Asyncshell Malware

November 22, 2024

The South Asian threat actor Mysterious Elephant, also identified as APT-K-47, has been seen deploying an advanced version of the Asyncshell malware. This cyber-attack campaign reportedly used Hajj-themed baits to trick victims into triggering a harmful payload masquerading as a Microsoft Compiled HTML Help (CHM) file, as per the analysis released by the Knownsec 404 team.

Mysterious Elephant, active since 2022, is known for primarily targeting Pakistani entities. The group's tactics and tools bear resemblances to other regional threat actors such as SideWinder, Confucius, and Bitter. In October 2023, this group was associated with a spear-phishing campaign that delivered the ORPCBackdoor as part of attacks aimed at Pakistan and other nations.

The exact initial access vector used by Mysterious Elephant in the latest campaign remains unclear, but it's likely to involve phishing emails. This leads to the delivery of a ZIP archive file containing two files: a CHM file supposedly about the Hajj policy in 2024, and a hidden executable file. When the CHM file is launched, it displays a decoy document, a legitimate PDF file from the government of Pakistan's Ministry of Religious Affairs and Interfaith Harmony website, while the binary is executed secretly in the background.

The malware, relatively straightforward in design, establishes a cmd shell with a remote server. Knownsec 404 has identified functional similarities with Asyncshell, another tool repeatedly used by the threat actor since the second half of 2023. Up to four different versions of Asyncshell have been identified so far, with capabilities to execute cmd and PowerShell commands. Initial attack chains distributing the malware have been found to exploit the WinRAR security flaw (CVE-2023-38831, CVSS score: 7.8) to initiate the infection.

Moreover, subsequent versions of the malware have shifted from using TCP to HTTPS for command-and-control (C2) communications. They also use an updated attack sequence that employs a Visual Basic Script to display the decoy document and launch it via a scheduled task. "It can be seen that APT-K-47 has frequently used Asyncshell to launch attack activities since 2023, and has gradually upgraded the attack chain and payload code," the Knownsec 404 team said. "In recent attack activities, this group has cleverly used disguised service requests to control the final shell server address, changing from the fixed C2 of previous versions to the variable C2, which shows the importance APT-k-47 organization internal places on Asyncshell."

Related News

• 'SloppyLemming' APT Targets Government and Law Enforcement Agencies via Cloudflare
• Head Mare Hacktivist Group Targets Russia and Belarus Using WinRAR Vulnerability
• Global Cybersecurity Agencies Issue Joint Advisory on China-affiliated APT40's Quick Exploit Adaptation
• FlyingYeti Uses WinRAR Flaw to Deploy COOKBOX Malware in Ukraine
• Windows Defender Zero-Day Exploited to Deliver DarkMe RAT: Microsoft Issues Patch

Latest News

• Palo Alto Networks Firewalls Compromised by Hackers Exploiting Recent Vulnerabilities
• Google's AI-Driven OSS-Fuzz Uncovers 26 Flaws in Open-Source Projects
• Apple Patches Two Zero-Day Vulnerabilities in Intel-Based Macs
• CISA Identifies Actively Exploited Vulnerability in Progress Kemp LoadMaster
• Oracle Addresses Zero-Day Exploit in Agile PLM Software