Summary:
The Knownsec 404 Advanced Threat Intelligence team has tracked the APT-K-47 organization, which has been utilizing an upgraded version of their Asyncshell tool to execute attacks disguised as legitimate activities. The latest variant, Asyncshell-v4, employs advanced techniques to maintain control over compromised systems, showcasing the groupβs evolving tactics since 2023.
#APT_K47 #Asyncshell #ThreatIntelligence
The Knownsec 404 Advanced Threat Intelligence team has tracked the APT-K-47 organization, which has been utilizing an upgraded version of their Asyncshell tool to execute attacks disguised as legitimate activities. The latest variant, Asyncshell-v4, employs advanced techniques to maintain control over compromised systems, showcasing the groupβs evolving tactics since 2023.
#APT_K47 #Asyncshell #ThreatIntelligence
Keypoints:
- APT-K-47, also known as Mysterious Elephant, has been active since 2022 and primarily targets South Asian countries.
- The group has updated its Asyncshell tool multiple times, with the latest version being Asyncshell-v4.
- Asyncshell-v4 uses base64 encoding to hide strings and disguises C2 requests as normal web service requests.
- The attack campaign was discovered while tracking APT activities related to the topic of βHajj.β
- Previous versions of Asyncshell have been linked to various attack vectors and techniques, including the exploitation of CVE-2023β38831.
- The team has identified a transition from TCP to HTTPS in the communication methods used by Asyncshell.
- Ongoing analysis of APT-K-47βs tools includes ORPCBackdoor, walkershell, MSMQSPY, and LastopenSpy.
MITRE Techniques
- Command and Control (T1071): Utilizes disguised service requests to maintain communication with compromised systems.
- Exploitation of Vulnerability (T1203): Exploits vulnerabilities such as CVE-2023β38831 to gain initial access.
- Obfuscated Files or Information (T1027): Employs base64 encoding and other techniques to hide malicious payloads.
- Scheduled Task/Job (T1053): Creates scheduled tasks to execute malicious payloads persistently.
IoC:
- [file hash] 5afa6d4f9d79ab32374f7ec41164a84d2c21a0f00f0b798f7fd40c3dab92d7a85488dbae6130ffd0a0840a1cce2b5add22967697c23c924150966eaecebea3c4c914343ac4fa6395f13a885f4cbf207c4f20ce39415b81fd7cfacd0bea0fe0937
Full Research: https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68