HQ/EMEAFind out how we can help your business
A notorious threat actor named Mysterious Elephant has been using the advanced malware variant of Asyncshell.
Based on reports, the APT group’s attack operation leveraged Hajj-themed baits to deceive victims into executing a malicious payload disguised as a Microsoft Compiled HTML Help (CHM) file.
The malicious entity in question is also known as APT-K-47. The researchers claimed that this hacker originated in South Asia and has been active for two years. It primarily targets Pakistani institutions in its cybercriminal operations.
Investigation revealed that its TTPs are comparable to those of other threat actors active in the region, such as Bitter, Confucius, and SideWinder. Last month, the group was tied to a spear-phishing effort that supplied a backdoor named ORPCBackdoor as part of an attack that targeted multiple countries, especially Pakistan.
Mysterious Elephant may have used phishing emails to distribute its new malware.
The specific infection process used by Mysterious Elephant in the latest campaign is still unverified, but researchers believe that it is phishing emails. The procedure results in distributing a ZIP archive file containing two files. One of the archives is a CHM file that claims to be about the Hajj policy for 2024, and the other is a covert executable file.
The researchers explained that once the campaign starts, the CHM file will display a decoy document, a valid PDF file housed on Pakistan’s Ministry of Religious Affairs and Interfaith Harmony website. At the same time, the malware is quietly executed in the background.
It is a simple malware that connects to a remote server via a cmd shell, but further analysis reports that it has functional overlaps with the Asyncshell malware. This strain is another tool employed by the threat actor in the second part of 2023.
Four separate versions of the Asyncshell strain have been uncovered. Each variant can run cmd and PowerShell commands. The initial attack chains that distributed the malware exploited the WinRAR security bug to execute the infection process.
Now, newer iterations of the virus have switched from TCP to HTTPS for C2 communications. More malware strains have implemented an improved attack sequence that uses a Visual Basic Script to display the decoy page and launch it via a scheduled process.
