1. Background of the Incident
Recently, during routine APT tracking, the Knownsec 404 Advanced Threat Intelligence Team uncovered an attack campaign orchestrated by the APT-K-47 organization, themed around "Hajj." The attackers leveraged CHM files to execute malicious payloads within the same directory. The payload in question is simplistic, supporting only the cmd shell, and uses asynchronous programming. Its functionality closely resembles the "Asynshell" malware, which has been actively deployed by APT-K-47 from 2023 through early 2024.
Through further analysis, our team observed multiple updates to Asynshell, culminating in its current version, Asynshell-v4, which showcases the following enhancements:
- Base64 Variant Encoding: Hides critical strings.
- C2 Disguised as Web Requests: Simulates normal web service traffic.
- Reduced Log Messages: Ensures stealth.
This report highlights the discovery of Asynshell-v4 and details the version evolution observed during our investigation.
2. Overview
APT-K-47, also referred to as Mysterious Elephant, was first exposed by the Knownsec 404 team [1]. Believed to originate in South Asia, the group's activity dates back to 2022. Analysis of APT-K-47’s tools, strategies, and targets reveals overlapping characteristics with other notable South Asian APT groups, such as Sidewinder, Confucius, and Bitter.
3. Sample Analysis
The initial malicious sample discovered was a zip file, containing an encrypted RAR archive and a Password.txt file. Notably, the encryption mechanism prevented detection by anti-virus software.
3.1 Analysis of "Policy_Formulation_Committee.exe"
- Decoy Document: The CHM file displayed content related to the religious pilgrimage "Hajj."
- Payload Execution: Silent execution of Policy_Formulation_Committee.exe in the same directory.
The executable decrypts a C2 server address using Base64 variant encoding disguised as a legitimate web service request. The server response is parsed in JSON format to obtain the final C2 endpoint for cmd shell interaction. Data transmission employs AES encryption for added stealth.
Key Observations:
- C2 Address Concealment: Hidden within legitimate-looking network requests.
- Shell Functionality: Implemented via MagicFunctions class and GraciousMagic function.
4. Asyncshell Version Evolution
The Knownsec 404 team has identified four versions of Asyncshell, summarized below:
| Version | Delivery Method | Channel | Encryption | Additional Notes |
|---|---|---|---|---|
| Asyncshell-v1 | Exploited CVE-2023-38831 | TCP | None | Initial discovery, cmd and PowerShell support. |
| Asyncshell-v2 | CHM-based Delivery | HTTPS | Base64 | Introduced HTTPS communication. |
| Asyncshell-v3 | LNK & VBS, AES-decrypted C2 | HTTPS | AES | C2 decrypted from file using AES. |
| Asyncshell-v4 | CHM, disguised as web requests | HTTPS (Dynamic C2) | AES & Base64 | Latest version, enhanced stealth. |
4.1 Asyncshell-v1 Discovery (January 2024)
The first version of Asyncshell surfaced in January 2024, exploiting CVE-2023-38831. It utilized content relating to civil servant remuneration as bait. The payload supported basic cmd and PowerShell command execution using asynchronous programming.
4.2 CHM-based Execution (March 2024)
By March 2024, the group introduced CHM files to deliver Asyncshell. The malware was embedded in decoy documents to evade detection and entice user interaction.
4.3 Transition to HTTPS (April 2024)
In April 2024, Asyncshell shifted its communication from TCP to HTTPS, improving its ability to bypass network monitoring. Payloads were disguised as decoy files (e.g., PSC meeting minutes), tricking users into execution.
4.4 C2 Decryption from File (July 2024)
The July 2024 variant, Asyncshell-v3, introduced AES-encrypted configuration files to dynamically retrieve C2 server details. The attack chain was significantly updated, with payloads executed via LNK and VBS scripts.
5. Conclusion
APT-K-47’s continued use and development of Asyncshell since 2023 underscores its importance within the group’s attack arsenal. The malware has evolved across multiple versions, with enhancements focusing on:
- Dynamic C2 Communication
- Improved Stealth Mechanisms
- Increased Payload Flexibility
Since initial disclosure of APT-K-47’s activities in 2023, the Knownsec 404 Advanced Threat Intelligence Team has tracked several tools utilized by the group, including:
- ORPCBackdoor
- Walkershell
- Asyncshell
- MSMQSPY
- LastopenSpy
Reference:
[1] Knownsec 404 Team: APT-K-47 Disclosure
Stay vigilant. Threats evolve, so must we.
