The notorious threat actor dubbed Mysterious Elephant has been spotted leveraging an enhanced variant of malware known as Asynshell.
According to an analysis released by the Knownsec 404 team, the attack campaign employed Hajj-themed baits to deceive targets into running a malicious payload disguised as a Microsoft Compiled HTML Help (CHM) file.
Mysterious Elephant, also identified as APT-K-47, is a threat actor with roots in South Asia, actively targeting entities in Pakistan since at least 2022.
The tactics and tools employed by the group exhibit resemblances to those used by other threat actors in the region, including SideWinder, Confucius, and Bitter.
In a spear-phishing initiative in October 2023, the group was associated with disseminating a backdoor named ORPCBackdoor in attacks directed at Pakistan and other nations.
While the exact entry point used by Mysterious Elephant in the latest campaign remains undisclosed, it likely involves phishing emails leading to the delivery of a ZIP archive containing a CHM file related to the Hajj policy in 2024 and a concealed executable file.
Upon launching the CHM file, a legitimate PDF document about the Hajj policy in 2024 from the Ministry of Religious Affairs and Interfaith Harmony website of Pakistan is displayed, while the binary runs stealthily in the background.
As a relatively simple malware, it aims to create a cmd shell with a remote server, demonstrating functional overlaps with Asyncshell, another tool frequently utilized by the threat actor since mid-2023.
Multiple versions of Asyncshell have been unearthed, capable of executing cmd and PowerShell commands, with initial attack chains exploiting the WinRAR vulnerability (CVE-2023-38831, CVSS score: 7.8) to trigger the infection.
Subsequent iterations of the malware have shifted from TCP to HTTPS for command-and-control (C2) communications, along with an updated attack chain utilizing a Visual Basic Script to present the decoy document and trigger it through a scheduled task.
The Knownsec 404 team remarked, “APT-K-47 has consistently leveraged Asyncshell for attack operations since 2023, progressively enhancing the attack chain and payload code.”
“In recent attacks, the group ingeniously employed disguised service requests to manipulate the final shell server address, moving from fixed C2 in previous versions to variable C2, underscoring the significance the APT-K-47 organization places on Asyncshell.”
