November 22, 2024 at 12:17PM
The Mysterious Elephant threat actor, also known as APT-K-47, is using advanced malware called Asynshell in recent attacks, targeting Pakistani entities. Utilizing Hajj-themed lures, they employ phishing tactics to deliver malicious files. The group has improved their methods and tools, showcasing a focus on evolving their malware since 2023.
**Meeting Takeaways – November 22, 2024: Cyber Attack / Malware**
1. **Threat Actor:**
– Known as Mysterious Elephant (also APT-K-47), this group is of South Asian origin and has been active since at least 2022, primarily targeting entities in Pakistan.
2. **Malware Details:**
– The latest advanced malware, Asynshell, is being utilized by the group.
– The malware employs Hajj-themed lures to trick victims into executing a malicious CHM file disguised as legitimate information regarding the Hajj policy for 2024.
3. **Attack Methodology:**
– The initial access vector is likely phishing emails delivering a ZIP file containing a malicious CHM file and an executable file.
– When the CHM is operated, it displays a legitimate PDF hosted on the Pakistani government site while executing malicious code stealthily.
4. **Functionality and Features:**
– Asynshell allows for the establishment of a command shell with a remote server.
– Four versions of Asyncshell have been discovered, capable of executing cmd and PowerShell commands.
– Recent attacks have shifted from using TCP to HTTPS for C2 communications and incorporated a Visual Basic Script for launching the decoy document.
5. **Vulnerabilities Exploited:**
– The malware leverages the WinRAR security vulnerability (CVE-2023-38831, CVSS score: 7.8) to facilitate infection.
6. **Ongoing Evolution:**
– The group has been progressively enhancing its attack methods and payloads since mid-2023, demonstrating an increasing sophistication in their tactics.
7. **Analysis and Observations:**
– The Knownsec 404 team’s analysis highlights a consistent use of Asyncshell by APT-K-47 to conduct attacks, underlining the importance of this tool within the group’s operations.
**Next Steps:**
– Stay updated on emerging threats and strategies used by Mysterious Elephant and other similar threat actors.
– Monitor any further developments related to vulnerabilities and malware enhancements.
**For Further Insights:**
– Follow the latest updates on this topic on Twitter and LinkedIn for additional exclusive content.