The threat actor known as Mysterious Elephant has been observed using an advanced version of malware called Asynshell.
The attack campaign is said to have used Hajj-themed lures to trick victims into executing a malicious payload under the guise of a Microsoft Compiled HTML Help (CHM) file, the Knownsec 404 team said in an analysis published today.
Mysterious Elephant, which is also known as APT-K-47, is a threat actor of South Asian origin that has been active since at least 2022, primarily targeting Pakistani entities.
The group’s tactics and tooling have been found to share similarities with those of other threat actors operating in the regions, such as SideWinder, Confucius, and Bitter.
In October 2023, the group was linked to a spear-phishing campaign that delivered a backdoor called ORPCBackdoor as part of attacks directed against Pakistan and other countries.
The exact initial access vector employed by Mysterious Elephant in the latest campaign is not known, but it likely involves the use of phishing emails. The method leads to the delivery of a ZIP archive file that contains two files: a CHM file that claims to be about the Hajj policy in 2024 and a hidden executable file.
When the CHM is launched, it’s used to display a decoy document, a legitimate PDF file hosted on the government of Pakistan’s Ministry of Religious Affairs and Interfaith Harmony website, while the binary is stealthily executed in the background.
A relatively straightforward malware, it’s designed to establish a cmd shell with a remote server, with Knownsec 404 identifying functional overlaps with Asyncshell, another tool the threat actor has repeatedly used since the second half of 2023.
As many as four different versions of Asyncshell have been discovered to date, boasting capabilities to execute cmd and PowerShell commands. Initial attack chains distributing the malware have been found to leverage the WinRAR security flaw (CVE-2023-38831, CVSS score: 7.8) to trigger the infection.
Furthermore, subsequent iterations of the malware have transitioned from using TCP to HTTPS for command-and-control (C2) communications, not to mention making use of an updated attack sequence that employs a Visual Basic Script to show the decoy document and launch it by means of a scheduled task.
“It can be seen that APT-K-47 has frequently used Asyncshell to launch attack activities since 2023, and has gradually upgraded the attack chain and payload code,” the Knownsec 404 team said.
“In recent attack activities, this group has cleverly used disguised service requests to control the final shell server address, changing from the fixed C2 of previous versions to the variable C2, which shows the importance APT-k-47 organization internal places on Asyncshell.”
