Hackers are tapping their victims by using Hajj theme lures to deliver malicious payload in the guise of a legitimate-looking document. The threat actor, identified as Mysterious Elephant, has been observed using an advanced version of malware called Asyncshell. They approach the users using Hajj theme appearances and trick their victims into executing the malicious payload while the payload actually executes the Microsoft Compiled HTML Help(CHM) file. The malware’s primary function is establishing a command shell connection with a remote server. Researchers have identified four distinct versions of Asyncshell since its initial deployment in late 2023.
The threat actor, Mysterious Elephant, also known as APT-K-47, is an individual of South Asian origin primarily focusing on Pakistan. The group has also been involved in a spear phishing attack that happened in October 2023 that delivered a backdoor and focused on Pakistan.
The exploitation starts with delivering a phishing email that contains a ZIP archive file that holds two attachments: a CHM file that claims to be about the Hajj policy in 2024 and a hidden executable file. When the CHM is launched, it’s used to display a decoy document, a legitimate PDF file hosted on the government of Pakistan’s Ministry of Religious Affairs and Interfaith Harmony website, while the binary is stealthily executed in the background which finally opens a cmd shell to the hacker. Initial attack chains distributing the malware have been found to leverage the WinRAR security flaw (CVE-2023-38831, CVSS score: 7.8) to trigger the infection.
The group has been constantly upgrading its toolset and clearing any attack traces which makes it more threatening. The group has cleverly used disguised service requests to control the final shell server address, changing from the fixed C2 of previous versions to the variable C2, which shows the importance APT-k-47 organization internally places on Asyncshell.
