The Mysterious Elephant, a South Asian threat actor also known as APT-K-47, has been observed using an enhanced version of its signature malware, Asyncshell, in its latest attack campaign.
Attack Campaign Details
The group employed Hajj-themed phishing lures, tricking victims into opening a malicious payload masquerading as a Microsoft Compiled HTML Help (CHM) file. Once executed, this CHM file simultaneously displays a legitimate Hajj-related PDF from the Ministry of Religious Affairs and Interfaith Harmony of Pakistan while stealthily running malicious binaries in the background.
Delivery Mechanism
- ZIP Archive: Delivered via phishing emails containing a CHM file and a hidden executable.
- Decoy Document: A legitimate government PDF is used as a cover.
- Malware Execution: Establishes a remote cmd shell for further exploitation.
Asyncshell Malware Evolution
First documented in mid-2023, Asyncshell has undergone multiple upgrades:
- Command Execution: Executes cmd and PowerShell commands.
- C2 Communications: Transitioned from TCP to HTTPS for more secure command-and-control (C2).
- Variable C2 Servers: Replaced fixed C2 addresses with dynamic ones via disguised service requests.
- WinRAR Exploit: Exploits CVE-2023-38831 (CVSS score: 7.8) to initiate infections.
- Improved Delivery Chain: Incorporates Visual Basic Scripts to enhance stealth and automate payload execution through scheduled tasks.
Similarities with Other Threat Actors
Mysterious Elephant shares tactics and tools with South Asian groups like SideWinder, Confucius, and Bitter, suggesting collaboration or overlapping strategies in the region.
Key Targets
The group primarily focuses on Pakistani entities, though its spear-phishing campaign in October 2023 expanded to include other countries, delivering the ORPCBackdoor malware.
Implications of Asyncshell’s Advancements
The group's reliance on Asyncshell, coupled with its consistent upgrades, highlights its importance to their operations. The shift to dynamic C2 addresses demonstrates APT-K-47’s growing sophistication in maintaining stealth and adaptability in cyber campaigns.
Mysterious Elephant’s evolving toolkit and strategic targeting emphasize the need for robust cybersecurity measures. Governments and organizations in the region must remain vigilant against such highly adaptive and persistent threats.