The cyber threat group known as Mysterious Elephant, aka APT-K-47, has been deploying an advanced iteration of the Asyncshell malware via Hajj-themed lures. This tactic involves misleading victims with a seemingly harmless Microsoft Compiled HTML Help (CHM) file as part of a targeted attack strategy.

Threat Actor Background

Mysterious Elephant, identified as a South Asian advanced persistent threat (APT) group, has been active since 2022, predominantly targeting entities within Pakistan. The group shares operational tactics with similar threat actors in the region, such as SideWinder and Bitter.

Recent Campaigns

In a 2023 spear-phishing campaign, Mysterious Elephant was linked to leveraging a backdoor named ORPCBackdoor. The latest attack method likely relies on phishing emails that distribute a ZIP file containing a CHM file and a concealed executable. The CHM file pretends to cover Hajj policy updates for 2024 while covertly executing malicious code.

Malware Functionality

The primary function of the Asyncshell malware is to establish a remote command shell connection. Distributed using the WinRAR vulnerability (CVE-2023-38831), it can execute both cmd and PowerShell commands. Four variations of Asyncshell have been discovered, demonstrating evolving sophistication.

Command-and-Control (C2) Enhancements

Initially leveraging TCP, recent Asyncshell versions have transitioned to using HTTPS for secure C2 communications. Advanced attack sequences now utilize Visual Basic Script along with scheduled tasks to display decoy documents and execute the payload.

Evolving Techniques

Mysterious Elephant has refined its attack methodology since 2023 by adopting variable C2 servers for shell server control, moving away from previous fixed C2 setups. This adaptation underscores the group's strategic emphasis on enhancing Asyncshell.

APT-K-47's continuous advancements in malware deployment and attack vectors highlight their persistent efforts to remain elusive and effective. The group's evolving use of Asyncshell reflects a sophisticated approach to obfuscating operations and enhancing payload delivery mechanisms. For more insights into cybersecurity developments, follow Vault33's dedicated channels.

The link has been copied!