Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime,
Geo Focus: Asia
Group Deploys Upgraded Malware Disguised as Microsoft File on Pilgrimage Goers
A South Asian threat group, referred to as Mysterious Elephant by the Knownsec 404 security research team, has recently been identified using a Hajj-themed social engineering tactic. This approach is designed to deceive victims into downloading a malicious payload disguised as a legitimate Windows file. The group’s current operations indicate a marked increase in sophistication, as they align their attacks with significant cultural events.
According to the report from Knownsec 404, Mysterious Elephant has employed the annual Islamic pilgrimage to Mecca as a lure for potential victims, particularly targeting individuals planning to attend this significant event. The malware in question is an upgraded variant of the Asyncshell malware, concealed as a Microsoft Compiled HTML Help file meant to appear trustworthy.
Since its activities came to light in 2022, the group has primarily focused on individuals in Pakistan, but its tactics bear resemblance to those of other regional threat actors, such as SideWinder, Confucius, and Bitter. Such shared methodologies could indicate a focused strategy within South Asia, where these groups may also share tools and techniques.
The initial access method utilized by Mysterious Elephant remains speculative, though previous cyber intrusions have shown a pattern of employing phishing emails. In the latest campaign, victims receive a ZIP archive containing a CHM (Compiled HTML Help) file claiming to provide details about the ‘Hajj policy for 2024’ along with a hidden executable binary file. Upon opening the CHM file, an authentic PDF document from Pakistan’s Ministry of Religious Affairs is displayed as a decoy, while the hidden executable initiates a command shell within the victim’s system, enabling a persistent connection for the attackers.
Recent analysis has disclosed at least four variants of Asyncshell, each capable of executing commands through the Windows command interpreter and PowerShell. The malware exploits a vulnerability in WinRAR, identified as CVE-2023-38831, marking a CVSS score of 7.8. This vulnerability significantly enhances the malware’s capacity to infiltrate systems unnoticed.
The latest iteration, Asyncshell-v4, improves obfuscation techniques by applying a base64 variant algorithm to obscure strings and disguises command-and-control communications as standard web requests. Additionally, this version has implemented mechanisms to erase extensive log files, effectively complicating detection efforts by cybersecurity solutions.
Operating primarily from South Asia, Mysterious Elephant, which is also connected to APT-K-47, is believed to have affiliations with Chinese state actors targeting nations like Pakistan, Bangladesh, and Turkey. The evolution of their tools, such as the enhancement introduced in Asyncshell-v3 to dynamically decrypt configuration files, illustrates a clear strategic pivot toward evading robust security measures.
Overall, the Knownsec report indicates that Asyncshell is just one of several instruments at the group’s disposal. Additional tools in their arsenal, including ORPCBackdoor, walkershell, MSMQSPY, and LastopenSpy, highlight a diverse and sophisticated toolkit dedicated to cyberespionage, which poses a significant risk to targeted organizations across the region.
