
Silent Mirage: APT-K-47's Hajj-Themed Cyber Offensive
Indicators of Compromise
No domains found for this campaign
APT Groups1
<span style="color: rgb(38, 38, 38);"><b>Summary of Actor</b></span><span style="color: rgb(38, 38, 38);"><b>:</b><br></span><font color="#262626">Mysterious Elephant, also known as APT-K-47, is an advanced persistent threat (APT) group identified in 2023, operating primarily in South Asia. The group has been linked to cyber espionage activities targeting entities in Pakistan, Bangladesh, and Turkey. Their tactics, techniques, and procedures (TTPs) exhibit similarities with other regional threat actors, such as SideWinder, Confucius, and Bitter, yet they maintain distinct operational characteristics.<br><br><div><b>General Features:</b><br><div style=""><ul><li><b>Geographical Focus: </b>Mysterious Elephant concentrates its operations in South Asia, with a particular emphasis on Pakistani organizations. </li><li><b>Tactics and Techniques:</b>The group employs spear-phishing campaigns, often utilizing themes relevant to their targets, such as Hajj-related content, to deliver malicious payloads. They have been observed using Microsoft Compiled HTML Help (CHM) files as part of their infection chain.</li><li><b>Toolset:</b>Mysterious Elephant has developed and deployed various malware families, including Asyncshell and ORPCBackdoor, to establish persistence and conduct espionage activities on compromised systems</li></ul></div></div><div><b>Indicators of Attack (IoAs)</b><br><div style=""><ul><li><b>Phishing Lures</b></li><li><b>Malware Delivery</b></li><li><b>Exploitation of Vulnerabilities<br></b></li></ul><div><div style=""><b>Recent Activities & Trends</b></div><div style=""><ul><li><b>Advanced Malware Variants:</b>Deployment of upgraded versions of Asyncshell with enhanced obfuscation and command execution capabilities.</li><li><b>Regional Targeting:</b>Continued focus on South Asian entities, with potential expansion to neighboring regions. </li></ul><div><br><br></div></div></div></div></div></font>
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1078-Valid Accounts
ID | Data Source | Data Component | Detects |
Monitor for newly constructed logon behavior that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). | |||
Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. | |||
Monitor for an attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. |
T1204-User Execution
ID | Data Source | Data Component | Detects |
Monitor logs from applications to detect user-initiated actions such as opening malicious documents, clicking on phishing links, or executing downloaded malware. Analytic 1 - Logs showing unexpected user actions triggering unusual processes. sourcetype=application_log EventCode=1000 OR EventCode=1001| search application IN ("winword.exe", "excel.exe", "chrome.exe", "firefox.exe", "adobe.exe", "zip.exe")| stats count by application event_description| where event_description IN ("opened document", "clicked link", "executed file") | |||
Detect commands triggered by users, especially related to decompression tools (e.g., zip files) that may unpack malicious payloads. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. Analytic 1 - Command lines showing decompression or decoding actions. sourcetype=WinEventLog:Powershell EventCode=4104| search process_name IN ("powershell.exe", "cmd.exe", "zip.exe", "winrar.exe")| stats count by process_name command_line user| where command_line LIKE "%unzip%" OR command_line LIKE "%decode%" | |||
Monitor for newly constructed containers that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Analytic 1 - Containers communicating with unexpected external services. sourcetype=container_creation OR sourcetype=container_start| stats count by container_name event_description user| where container_name NOT IN ("") AND event_description IN ("created", "started") | |||
Monitor for the activation or invocation of a container (ex: docker start or docker restart) | |||
Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe). | |||
Monitor for newly constructed image that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. | |||
Monitor for newly constructed instances that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. | |||
Monitor for the activation or invocation of an instance (ex: instance.start within GCP Audit Logs) | |||
Monitor network traffic patterns associated with web-based user actions, such as clicking on phishing links or executing malware that tries to establish C2 communication. Analytic 1 - Web-based network connections to suspicious destinations. sourcetype=sysmon EventCode=3| search process_name IN ("winword.exe", "chrome.exe", "firefox.exe") | stats count by src_ip dest_ip dest_port process_name| where dest_ip NOT IN ("") | |||
Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious detinations (e.g. destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g. monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, .SCF, HTA, MSI, DLLs, or msiexec.exe). | |||
Identify processes spawned by user actions, especially from Office documents, PDFs, or web browsers that could lead to malicious execution. Analytic 1 - Processes created from user interaction with files. ((sourcetype=WinEventLog:Security EventCode=4688) OR (sourcetype=Sysmon EventCode=1))| search parent_process IN ("winword.exe", "excel.exe", "chrome.exe", "firefox.exe")| stats count by parent_process process_name command_line user| where process_name NOT IN ("chrome.exe", "firefox.exe", "winword.exe", "excel.exe") |
T1053-Scheduled Task/Job
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Analytic 1 - Look for task scheduling commands being executed with unusual parameters. index=security (sourcetype="WinEventLog:Security" OR sourcetype="linux_secure" OR sourcetype="macos_secure" OR sourcetype="container_logs")| eval CommandLine = coalesce(CommandLine, process)| where (sourcetype="WinEventLog:Security" AND EventCode IN (4697, 4702, 4698)) OR (sourcetype="linux_secure" AND CommandLine LIKE "%cron%" OR CommandLine LIKE "%at%") OR (sourcetype="macos_secure" AND CommandLine LIKE "%launchctl%" OR CommandLine LIKE "%cron%") OR (sourcetype="container_logs" AND (CommandLine LIKE "%cron%" OR CommandLine LIKE "%at%"))| where (sourcetype="WinEventLog:Security" AND (CommandLine LIKE "%/create%" OR CommandLine LIKE "%/delete%" OR CommandLine LIKE "%/change%")) OR (sourcetype="linux_secure" AND (CommandLine LIKE "%-f%" OR CommandLine LIKE "%-m%" OR CommandLine LIKE "%--env%")) OR (sourcetype="macos_secure" AND (CommandLine LIKE "%/Library/LaunchDaemons%" OR CommandLine LIKE "%/Library/LaunchAgents%" OR CommandLine LIKE "%/System/Library/LaunchDaemons%" OR CommandLine LIKE "%/System/Library/LaunchAgents%")) OR (sourcetype="container_logs" AND (CommandLine LIKE "%-f%" OR CommandLine LIKE "%--schedule%" OR CommandLine LIKE "%--env%")) | |||
Monitor for newly constructed containers that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Analytic 1 - Look for new container creation events with unusual parameters. index=container_logs sourcetype="docker_events" OR sourcetype="kubernetes_events"| eval event_action=coalesce(action, status)| where (event_action="create" OR event_action="start")| search event_type="container"| search (parameters="--privileged" OR parameters="--cap-add=" OR parameters="--volume=" OR parameters="--network=host" OR parameters="--device") | |||
Monitor newly constructed files that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Analytic 1 - Look for new task files with unusual parameters. index=security_logs OR index=system_logs(sourcetype="docker_events" OR sourcetype="kubernetes_events" OR sourcetype="wineventlog:security" OR sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="file_monitoring")| eval platform=case( sourcetype=="docker_events" OR sourcetype=="kubernetes_events", "Containers", sourcetype=="wineventlog:security", "Windows", sourcetype=="linux_secure" OR sourcetype=="syslog", "Linux", sourcetype=="mac_os_events", "macOS")| search ( (platform="Containers" AND (event_type="file_create" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/"))) OR (platform="Windows" AND EventCode=4663 AND (ObjectName="C:\Windows\System32\Tasks\" OR ObjectName="C:\Windows\Tasks\")) OR (platform="Linux" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/")) OR (platform="macOS" AND (file_path="/Library/LaunchDaemons/" OR file_path="/Library/LaunchAgents/"))) | |||
Monitor for changes made to files that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Analytic 1 - Look for task file modifications with unusual parameters. index=security_logs OR index=system_logs(sourcetype="docker_events" OR sourcetype="kubernetes_events" OR sourcetype="wineventlog:security" OR sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="file_monitoring")| eval platform=case( sourcetype=="docker_events" OR sourcetype=="kubernetes_events", "Containers", sourcetype=="wineventlog:security", "Windows", sourcetype=="linux_secure" OR sourcetype=="syslog", "Linux", sourcetype=="mac_os_events", "macOS")| search ( (platform="Containers" AND (event_type="file_modify" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/" OR file_path="/etc/crontab"))) OR (platform="Windows" AND EventCode=4663 AND (ObjectName="C:\Windows\System32\Tasks\" OR ObjectName="C:\Windows\Tasks\")) OR (platform="Linux" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/" OR file_path="/etc/crontab")) OR (platform="macOS" AND (file_path="/Library/LaunchDaemons/" OR file_path="/Library/LaunchAgents/"))) | |||
Monitor for newly executed processes that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Note: Below is the relevant Events and SourcesWindows:
Linux/macOS:
Containers:- Container logs: Detection of scheduled tasks or cron jobs within container environments. Analytic 1 - Look for task execution with unusual parameters. (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security" OR sourcetype="linux_auditd" OR sourcetype="syslog") | where Image IN ("schtasks.exe", "at.exe", "Taskeng.exe", "cron", "crontab", "systemd-timers") | |||
Monitor newly constructed scheduled jobs that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Windows systems, security event ID 4698 (A scheduled task was created) provides information on newly created scheduled tasks. It includes the TaskContent field, which contains an XML blob that captures key information on the scheduled task including the command to be executed. Analytic 1 - Scheduled Task Execution source="*WinEventLog:Security" EventCode="4698" | where NOT (TaskName IN ("\Microsoft\Windows\UpdateOrchestrator\Reboot", "\Microsoft\Windows\Defrag\ScheduledDefrag"))| search TaskContent="powershell.exe" OR TaskContent="cmd.exe" |
T1071-Application Layer Protocol
ID | Data Source | Data Component | Detects |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). | |||
Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |