skip to content
Decrypt LOL

Get Cyber-Smart in Just 5 Minutes a Week

Decrypt delivers quick and insightful updates on cybersecurity. No spam, no data sharing—just the info you need to stay secure.

Read the latest edition
APT-K-47 Group Linked to Sophisticated Cyber Attack Campaign

APT-K-47 Group Linked to Sophisticated Cyber Attack Campaign

/ 3 min read

stories , cybersecurity , malware analysis , threat intelligence , apt-k-47 , asyncshell

Quick take - The Knownsec 404 Advanced Threat Intelligence team has reported on a sophisticated attack campaign attributed to the APT-K-47 organization, which has been active since at least 2022 and employs social engineering tactics related to “Hajj” to execute advanced malware and establish command and control connections.

Fast Facts

  • The Knownsec 404 Advanced Threat Intelligence team has identified a sophisticated attack campaign by the APT-K-47 group, also known as Mysterious Elephant, active since at least 2022 and believed to originate from South Asia.
  • APT-K-47 employs social engineering tactics, using the topic of “Hajj” to lure victims, with initial attacks involving a zip file containing an encrypted RAR archive and a decoy CHM file that executes a malicious payload.
  • The group has developed a framework called Asyncshell, with four versions released, each enhancing capabilities and stealth, including support for cmd and PowerShell commands and transitioning communication to HTTPS.
  • The latest version, Asyncshell-v4, features advanced evasion techniques, such as disguising C2 communications and removing log messages to avoid detection.
  • The Knownsec team is actively monitoring APT-K-47’s evolving tactics and tools, encouraging collaboration with interested parties to address the threat.

APT-K-47 Attack Campaign Reported by Knownsec 404

Overview of APT-K-47

The Knownsec 404 Advanced Threat Intelligence team has reported a sophisticated attack campaign attributed to the APT-K-47 organization, also known as Mysterious Elephant. This group has been active since at least 2022 and is believed to have originated in South Asia. APT-K-47 is linked to other advanced persistent threat (APT) groups in the region, including Sidewinder, Confucius, and Bitter.

Attack Methodology

The attack campaign utilizes the topic of “Hajj” as a social engineering lure. The initial entry point involved a zip file containing an encrypted RAR archive and a text file with the decryption password. The RAR archive held a Compiled HTML (CHM) file alongside a hidden Portable Executable (PE) file. The CHM file serves as a decoy document related to religious matters concerning Hajj, while it silently executes a payload named “Policy_Formulation_Committee.exe.”

This executable employs a special algorithm to decrypt a disguised server address, establishing a connection to a command and control (C2) server that ultimately provides command shell functionality. The server responds with data formatted in JSON, which is decoded to facilitate the final shell connection. The cmd shell functionality is encapsulated within a class named “MagicFunctions” and a specific function dubbed “GraciousMagic.”

Asyncshell Framework Versions

APT-K-47 has demonstrated an ongoing pattern of enhancing its attack methods and tools, particularly through the use of a framework known as Asyncshell. The Knownsec team has categorized Asyncshell into four distinct versions, each reflecting significant updates and changes in their capabilities.

  • Asyncshell-v1: Discovered in January 2024, this version exploits the CVE-2023–38831 vulnerability and supports both cmd and PowerShell commands.

  • Asyncshell-v2: Identified in April 2024, this iteration transitioned communication from TCP to HTTPS, enhancing its stealth and security.

  • Asyncshell-v3: Captured in July 2024, this version introduced a new attack chain that involved a zip file, a VBS script, and a scheduled task executing “cal.exe.” The final payload in this version is obfuscated using ConfuserEx and decrypts a file named “SysConfig.enc.”

  • Asyncshell-v4: The latest version includes advanced features such as string hiding through a base64 variant algorithm, disguising C2 communications as normal web service requests, and the removal of numerous log messages to avoid detection.

The Knownsec 404 team continues to monitor APT-K-47 closely. They are analyzing its various tools, including ORPCBackdoor, walkershell, Asyncshell, MSMQSPY, and LastopenSpy. Interested parties are encouraged to reach out to the Knownsec team for further discussions regarding this evolving threat landscape.

Original Source: Read the Full Article Here

Check out what's latest

Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks
Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks
New Detection System for Advanced Persistent Threats Introduced
New Detection System for Advanced Persistent Threats Introduced
Injection Techniques in Computing Environments: A Tutorial
Injection Techniques in Computing Environments: A Tutorial