Full Report
The threat actor known as Mysterious Elephant has been observed using an advanced version of malware called Asyncshell. The attack campaign is said to have used Hajj-themed lures to trick victims into executing a malicious payload under the guise of a Microsoft Compiled HTML Help (CHM) file, the Knownsec 404 team said in an analysis published today. Mysterious Elephant, which is also known as
Analysis Summary
# Main Topic
A recent cyber espionage campaign attributed to the threat actor Mysterious Elephant (also known as APT-K-47) is actively utilizing Hajj-themed lures to distribute an advanced variant of the **Asyncshell** malware. The campaign primarily targets Pakistani entities.
## Key Points
- The attack involves delivering a ZIP archive containing a malicious Microsoft Compiled HTML Help (CHM) file and a hidden executable payload.
- The CHM file displays a decoy document—a legitimate PDF document hosted on the Government of Pakistan's Ministry of Religious Affairs and Interfaith Harmony website concerning the Hajj Policy 2024—to mislead the user.
- The hidden executable is stealthily executed in the background to establish a remote command shell connection.
- The delivered malware is identified as an advanced version of Asyncshell, which the group has been using since the second half of 2023, capable of executing both CMD and PowerShell commands.
- Previous activity linked to this actor involved spear-phishing campaigns delivering the ORPCBackdoor.
- Initial access is suspected to involve phishing emails.
- The report notes that initial attack chains may have leveraged the WinRAR security flaw ([CVE-2023-38831]).
## Threat Actors
- **Primary Actor:** Mysterious Elephant
- **Aliases:** APT-K-47
- **Origin/Activity:** South Asian origin, active since at least 2022.
- **Observed Similarities:** Tactics and tooling show similarities with threat actors such as SideWinder, Confucius, and Bitter.
## TTPs
- **Initial Access:** Highly likely spear-phishing emails leading to the delivery of a ZIP archive.
- **Initial Execution:** Utilizing social engineering via Hajj-themed lures embedded in a CHM file.
- **Defense Evasion/Deception:** Using a legitimate, publicly hosted PDF (Hajj Policy 2024) as a decoy displayed by the CHM file while executing the payload stealthily.
- **Payload Delivery:** Use of CHM files to execute hidden executables.
- **Persistence/C2:** Establishes a command shell (`cmd shell`) connection with a remote server using the Asyncshell implant.
- **Vulnerability Exploitation (Potential):** Attack chains found leveraging WinRAR vulnerability CVE-2023-38831 (CVSS 7.8).
## Affected Systems
- **Target Geography:** Pakistani entities.
- **File Types Used:** Microsoft Compiled HTML Help (CHM), ZIP archives.
- **Infected Software (Potential):** Systems vulnerable to CVE-2023-38831 (WinRAR versions susceptible before fix).
## Mitigations
- Increased scrutiny of unsolicited ZIP archives, especially those containing CHM files.
- Users should verify the legitimacy of documents related to sensitive topics (like Hajj policy) before launching associated files.
- Ensure WinRAR software is fully patched to prevent exploitation of CVE-2023-38831.
- Monitor network traffic for unexpected command shell activity or command-and-control beaconing originating from user workstations.
## Conclusion
The deployment of an advanced Asyncshell variant via culturally relevant lures against Pakistani targets indicates a sophisticated and ongoing espionage effort by APT-K-47. Organizations in the region should immediately enhance email filtering for suspicious attachments and ensure endpoints are hardened against CHM-based execution and known archive extraction vulnerabilities.