Follow on X RSS Feed
Malware

APT-K-47 Deploys Enhanced Asyncshell to Exploit Vulnerabilities

Cybersec Sentinel

3 min read
APT-K-47 Deploys Enhanced Asyncshell to Exploit Vulnerabilities

Threat Group: Mysterious Elephant (APT-K-47)
Threat Type: Remote Access Trojan (RAT)
Exploited Vulnerabilities: WinRAR Vulnerability (CVE-2023-38831)
Malware Used: Asyncshell (versions 1 through 4), ORPCBackdoor, MSMQSPY
Threat Score: High (8.5/10) — Due to its targeted approach, advanced obfuscation techniques, and evolving attack vectors.
Last Threat Observation: November 27,

Overview

APT-K-47, also known as Mysterious Elephant, is a sophisticated South Asian Advanced Persistent Threat (APT) group known for targeting government, religious, and critical infrastructure entities in Pakistan, Bangladesh, and Turkey. Recent campaigns have highlighted their use of Asyncshell-v4, an advanced version of their signature malware tool.

Asyncshell-v4 has introduced new stealth and obfuscation techniques, including Base64 variant encoding, disguised C2 requests, and reduced log visibility, making it more difficult to detect and mitigate. The threat group uses phishing emails with decoy Hajj-themed documents as a lure to initiate their attack chains.

The campaigns are notable for their reliance on social engineering tactics, advanced malware obfuscation, and exploitation of known vulnerabilities such as CVE-2023-38831, demonstrating a methodical approach to infiltrating and compromising high-value targets.

Key Details

  • Delivery Method: Phishing emails containing ZIP archives with CHM files and hidden executables.
  • Targeted Countries: Pakistan, Bangladesh, Turkey.
  • Malware Families: Asyncshell (v1 to v4), ORPCBackdoor, MSMQSPY.
  • Functions:
    • Establishes a command shell with remote servers.
    • Executes cmd and PowerShell commands.
    • Exfiltrates sensitive data.
    • Maintains persistence via scheduled tasks.
    • Communicates with C2 servers over HTTPS.
  • Obfuscation Techniques: Base64 variant encoding, reduced log visibility, and masqueraded C2 requests.

Attack Vectors

The group employs phishing emails as their primary delivery method. These emails include ZIP archives containing CHM files, which, when opened, display decoy documents while silently executing the malicious payload in the background.

The payload establishes communication with a C2 server, allowing attackers to execute commands, exfiltrate data, and deploy additional malware. Asyncshell-v4 uses advanced techniques to evade detection, including disguising its communication channels and employing obfuscated scripts.

Initial campaigns exploited the WinRAR vulnerability (CVE-2023-38831), further enabling infection and lateral movement within compromised environments.

Evolution of Asyncshell

Asyncshell has undergone significant iterations, with each version enhancing its capabilities:

  • Asyncshell v1: Basic command execution with minimal obfuscation.
  • Asyncshell v2: Added persistence mechanisms and improved obfuscation.
  • Asyncshell v3: Transitioned to HTTPS for C2 communications and incorporated evasion techniques.
  • Asyncshell v4: Introduced Base64 encoding for strings, reduced log visibility, and advanced disguise for C2 requests.

This evolution reflects APT-K-47’s commitment to staying ahead of detection and security measures.

Known Indicators of Compromise (IoCs)

File Hashes (SHA256):

  • 5afa6d4f9d79ab32374f7ec41164a84d2c21a0f00f0b798f7fd40c3dab92d7a8
  • 5488dbae6130ffd0a0840a1cce2b5add22967697c23c924150966eaecebea3c4
  • c914343ac4fa6395f13a885f4cbf207c4f20ce39415b81fd7cfacd0bea0fe093
  • 83c96c9853245a32042e45995ffa41393eeb9891e80ebcfb09de8fae8b5055a3
  • 97f91122e541b38492ca2a7c781bb9f6b0a2e98e5b048ec291d98c273a6c3d62

Domains:

  • hxxp://45.12.253[.]107:222/f[.]txt
  • hxxp://45.12.253[.]107:222/j[.]jpg

Mitigation and Prevention

  • User Awareness: Train employees to recognize phishing emails and avoid opening unknown attachments.
  • Email Filtering: Implement advanced email filtering to detect and block malicious attachments.
  • Endpoint Security: Regularly scan endpoints for Asyncshell-related IoCs.
  • Antivirus Protection: Ensure antivirus solutions can detect and block Asyncshell and related variants.
  • Software Updates: Apply patches promptly, especially for known vulnerabilities like CVE-2023-38831.
  • Network Monitoring: Monitor traffic for disguised C2 communications.
  • Two-Factor Authentication (2FA): Enforce 2FA to secure systems.

Conclusion

APT-K-47 continues to refine its tactics, techniques, and procedures (TTPs) to maintain a strategic advantage in its cyber campaigns. The group’s use of Asyncshell-v4, coupled with its exploitation of known vulnerabilities and advanced obfuscation techniques, underscores its adaptability and focus on high-value targets in South Asia and the Middle East.

Organizations should prioritize implementing layered defense mechanisms, regular employee awareness training, and proactive monitoring of IoCs to mitigate the risks associated with this evolving threat.

Sources

  1. Medium -Unveiling the Past and Present of APT-K-47 Weapon: Asyncshell
  2. The Hacker News - APT-K-47 Uses Hajj-Themed Lures to Deliver Advanced Asyncshell Malware
  3. AlienVault - Asyncshell IoCs