Campaigns
Silent Mirage: APT-K-47's Hajj-Themed Cyber Offensive

Silent Mirage: APT-K-47's Hajj-Themed Cyber Offensive

APT-K-47Mysterious ElephantAsyncshellHajj-themed phishingcyber-espionageSouth AsiaPakistanCHM filescommand-and-controlmalware evolution
APT-K-47, also known as Mysterious Elephant, has launched a cyber-espionage campaign using Hajj-themed lures to distribute an advanced version of the Asyncshell malware. This operation primarily targets entities in Pakistan, exploiting cultural themes to enhance the effectiveness of their phishing attacks.

Indicators of Compromise

No domains found for this campaign

APT Groups1

Mysterious Elephant

<span style="color: rgb(38, 38, 38);"><b>Summary of Actor</b></span><span style="color: rgb(38, 38, 38);"><b>:</b><br></span><font color="#262626">Mysterious Elephant, also known as APT-K-47, is an advanced persistent threat (APT) group identified in 2023, operating primarily in South Asia. The group has been linked to cyber espionage activities targeting entities in Pakistan, Bangladesh, and Turkey. Their tactics, techniques, and procedures (TTPs) exhibit similarities with other regional threat actors, such as SideWinder, Confucius, and Bitter, yet they maintain distinct operational characteristics.<br><br><div><b>General Features:</b><br><div style=""><ul><li><b>Geographical Focus: </b>Mysterious Elephant concentrates its operations in South Asia, with a particular emphasis on Pakistani organizations. </li><li><b>Tactics and Techniques:</b>The group employs spear-phishing campaigns, often utilizing themes relevant to their targets, such as Hajj-related content, to deliver malicious payloads. They have been observed using Microsoft Compiled HTML Help (CHM) files as part of their infection chain.</li><li><b>Toolset:</b>Mysterious Elephant has developed and deployed various malware families, including Asyncshell and ORPCBackdoor, to establish persistence and conduct espionage activities on compromised systems</li></ul></div></div><div><b>Indicators of Attack (IoAs)</b><br><div style=""><ul><li><b>Phishing Lures</b></li><li><b>Malware Delivery</b></li><li><b>Exploitation of Vulnerabilities<br></b></li></ul><div><div style=""><b>Recent Activities & Trends</b></div><div style=""><ul><li><b>Advanced Malware Variants:</b>Deployment of upgraded versions of Asyncshell with enhanced obfuscation and command execution capabilities.</li><li><b>Regional Targeting:</b>Continued focus on South Asian entities, with potential expansion to neighboring regions. ​</li></ul><div><br><br></div></div></div></div></div></font>

Mysterious ElephantAPT-K-47

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION


T1078-Valid Accounts


ID

Data Source

Data Component

Detects

DS0028

Logon Session

Logon Session Creation

Monitor for newly constructed logon behavior that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).



Logon Session Metadata

Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.

DS0002

User Account

User Account Authentication

Monitor for an attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.


T1204-User Execution


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Monitor logs from applications to detect user-initiated actions such as opening malicious documents, clicking on phishing links, or executing downloaded malware.

Analytic 1 - Logs showing unexpected user actions triggering unusual processes.

sourcetype=application_log EventCode=1000 OR EventCode=1001| search application IN ("winword.exe", "excel.exe", "chrome.exe", "firefox.exe", "adobe.exe", "zip.exe")| stats count by application event_description| where event_description IN ("opened document", "clicked link", "executed file")

DS0017

Command

Command Execution

Detect commands triggered by users, especially related to decompression tools (e.g., zip files) that may unpack malicious payloads. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.

Analytic 1 - Command lines showing decompression or decoding actions.

sourcetype=WinEventLog:Powershell EventCode=4104| search process_name IN ("powershell.exe", "cmd.exe", "zip.exe", "winrar.exe")| stats count by process_name command_line user| where command_line LIKE "%unzip%" OR command_line LIKE "%decode%"

DS0032

Container

Container Creation

Monitor for newly constructed containers that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

Analytic 1 - Containers communicating with unexpected external services.

sourcetype=container_creation OR sourcetype=container_start| stats count by container_name event_description user| where container_name NOT IN ("") AND event_description IN ("created", "started")



Container Start

Monitor for the activation or invocation of a container (ex: docker start or docker restart)

DS0022

File

File Creation

Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).

DS0007

Image

Image Creation

Monitor for newly constructed image that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

DS0030

Instance

Instance Creation

Monitor for newly constructed instances that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.



Instance Start

Monitor for the activation or invocation of an instance (ex: instance.start within GCP Audit Logs)

DS0029

Network Traffic

Network Connection Creation

Monitor network traffic patterns associated with web-based user actions, such as clicking on phishing links or executing malware that tries to establish C2 communication.

Analytic 1 - Web-based network connections to suspicious destinations.

sourcetype=sysmon EventCode=3| search process_name IN ("winword.exe", "chrome.exe", "firefox.exe") | stats count by src_ip dest_ip dest_port process_name| where dest_ip NOT IN ("")



Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious detinations (e.g. destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g. monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, .SCF, HTA, MSI, DLLs, or msiexec.exe).

DS0009

Process

Process Creation

Identify processes spawned by user actions, especially from Office documents, PDFs, or web browsers that could lead to malicious execution.

Analytic 1 - Processes created from user interaction with files.

((sourcetype=WinEventLog:Security EventCode=4688) OR (sourcetype=Sysmon EventCode=1))| search parent_process IN ("winword.exe", "excel.exe", "chrome.exe", "firefox.exe")| stats count by parent_process process_name command_line user| where process_name NOT IN ("chrome.exe", "firefox.exe", "winword.exe", "excel.exe")


T1053-Scheduled Task/Job


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

Analytic 1 - Look for task scheduling commands being executed with unusual parameters.

index=security (sourcetype="WinEventLog:Security" OR sourcetype="linux_secure" OR sourcetype="macos_secure" OR sourcetype="container_logs")| eval CommandLine = coalesce(CommandLine, process)| where (sourcetype="WinEventLog:Security" AND EventCode IN (4697, 4702, 4698)) OR (sourcetype="linux_secure" AND CommandLine LIKE "%cron%" OR CommandLine LIKE "%at%") OR (sourcetype="macos_secure" AND CommandLine LIKE "%launchctl%" OR CommandLine LIKE "%cron%") OR (sourcetype="container_logs" AND (CommandLine LIKE "%cron%" OR CommandLine LIKE "%at%"))| where (sourcetype="WinEventLog:Security" AND (CommandLine LIKE "%/create%" OR CommandLine LIKE "%/delete%" OR CommandLine LIKE "%/change%")) OR (sourcetype="linux_secure" AND (CommandLine LIKE "%-f%" OR CommandLine LIKE "%-m%" OR CommandLine LIKE "%--env%")) OR (sourcetype="macos_secure" AND (CommandLine LIKE "%/Library/LaunchDaemons%" OR CommandLine LIKE "%/Library/LaunchAgents%" OR CommandLine LIKE "%/System/Library/LaunchDaemons%" OR CommandLine LIKE "%/System/Library/LaunchAgents%")) OR (sourcetype="container_logs" AND (CommandLine LIKE "%-f%" OR CommandLine LIKE "%--schedule%" OR CommandLine LIKE "%--env%"))

DS0032

Container

Container Creation

Monitor for newly constructed containers that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

Analytic 1 - Look for new container creation events with unusual parameters.

index=container_logs sourcetype="docker_events" OR sourcetype="kubernetes_events"| eval event_action=coalesce(action, status)| where (event_action="create" OR event_action="start")| search event_type="container"| search (parameters="--privileged" OR parameters="--cap-add=" OR parameters="--volume=" OR parameters="--network=host" OR parameters="--device")

DS0022

File

File Creation

Monitor newly constructed files that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

Analytic 1 - Look for new task files with unusual parameters.

index=security_logs OR index=system_logs(sourcetype="docker_events" OR sourcetype="kubernetes_events" OR sourcetype="wineventlog:security" OR sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="file_monitoring")| eval platform=case( sourcetype=="docker_events" OR sourcetype=="kubernetes_events", "Containers", sourcetype=="wineventlog:security", "Windows", sourcetype=="linux_secure" OR sourcetype=="syslog", "Linux", sourcetype=="mac_os_events", "macOS")| search ( (platform="Containers" AND (event_type="file_create" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/"))) OR (platform="Windows" AND EventCode=4663 AND (ObjectName="C:\Windows\System32\Tasks\" OR ObjectName="C:\Windows\Tasks\")) OR (platform="Linux" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/")) OR (platform="macOS" AND (file_path="/Library/LaunchDaemons/" OR file_path="/Library/LaunchAgents/")))



File Modification

Monitor for changes made to files that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

Analytic 1 - Look for task file modifications with unusual parameters.

index=security_logs OR index=system_logs(sourcetype="docker_events" OR sourcetype="kubernetes_events" OR sourcetype="wineventlog:security" OR sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="file_monitoring")| eval platform=case( sourcetype=="docker_events" OR sourcetype=="kubernetes_events", "Containers", sourcetype=="wineventlog:security", "Windows", sourcetype=="linux_secure" OR sourcetype=="syslog", "Linux", sourcetype=="mac_os_events", "macOS")| search ( (platform="Containers" AND (event_type="file_modify" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/" OR file_path="/etc/crontab"))) OR (platform="Windows" AND EventCode=4663 AND (ObjectName="C:\Windows\System32\Tasks\" OR ObjectName="C:\Windows\Tasks\")) OR (platform="Linux" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/" OR file_path="/etc/crontab")) OR (platform="macOS" AND (file_path="/Library/LaunchDaemons/" OR file_path="/Library/LaunchAgents/")))

DS0009

Process

Process Creation

Monitor for newly executed processes that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

Note: Below is the relevant Events and SourcesWindows:

  • Sysmon Event ID 1: Process creation, particularly for schtasks.exe, at.exe, Taskeng.exe, crontab, etc.

  • Windows Event Log EventCode 4688: Process creation that might involve task scheduling.

  • Windows Task Scheduler Logs: Task creation, modification, or deletion.

Linux/macOS:

  • Auditd logs: Monitoring for cron job creation or modifications.

  • Syslog: Logs related to cron jobs or scheduled tasks.

  • File integrity monitoring (FIM): For changes to /etc/cron, /var/spool/cron/, or user-specific cron jobs.

Containers:- Container logs: Detection of scheduled tasks or cron jobs within container environments.

Analytic 1 - Look for task execution with unusual parameters.

(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security" OR sourcetype="linux_auditd" OR sourcetype="syslog") | where Image IN ("schtasks.exe", "at.exe", "Taskeng.exe", "cron", "crontab", "systemd-timers")

DS0003

Scheduled Job

Scheduled Job Creation

Monitor newly constructed scheduled jobs that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

On Windows systems, security event ID 4698 (A scheduled task was created) provides information on newly created scheduled tasks. It includes the TaskContent field, which contains an XML blob that captures key information on the scheduled task including the command to be executed.

Analytic 1 - Scheduled Task Execution

source="*WinEventLog:Security" EventCode="4698" | where NOT (TaskName IN ("\Microsoft\Windows\UpdateOrchestrator\Reboot", "\Microsoft\Windows\Defrag\ScheduledDefrag"))| search TaskContent="powershell.exe" OR TaskContent="cmd.exe"


T1071-Application Layer Protocol


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



Network Traffic Flow

Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Reports & References1

Observed Countries250

AD (538)
AE (625)
AF (517)
AG (409)
AI (902)
AL (58)
AM (284)
AO (917)
AQ (463)
AR (446)
AS (477)
AT (53)
AU (659)
AW (280)
AX (666)
AZ (137)
BA (1)
BB (549)
BD (612)
BE (743)
BF (861)
BG (396)
BH (597)
BI (464)
BJ (484)
BL (333)
BM (916)
BN (385)
BO (169)
BQ (860)
BR (41)
BS (180)
BT (38)
BV (903)
BW (605)
BY (573)
BZ (921)
CA (427)
CC (960)
CD (947)
CF (785)
CG (901)
CH (248)
CI (29)
CK (640)
CL (266)
CM (131)
CN (507)
CO (70)
CR (451)
CU (17)
CV (916)
CW (486)
CX (505)
CY (740)
CZ (791)
DE (982)
DJ (429)
DK (143)
DM (493)
DO (11)
DZ (458)
EC (122)
EE (648)
EG (583)
EH (177)
ER (344)
ES (308)
ET (113)
FI (592)
FJ (694)
FK (815)
FM (690)
FO (703)
FR (449)
GA (947)
GB (616)
GD (23)
GE (941)
GF (712)
GG (763)
GH (928)
GI (784)
GL (593)
GM (118)
GN (157)
GP (194)
GQ (468)
GR (554)
GS (63)
GT (608)
GU (697)
GW (998)
GY (379)
HK (485)
HM (500)
HN (430)
HR (843)
HT (201)
HU (594)
ID (694)
IE (897)
IL (930)
IM (190)
IN (396)
IO (950)
IQ (905)
IR (426)
IS (903)
IT (921)
JE (429)
JM (828)
JO (60)
JP (705)
KE (651)
KG (163)
KH (967)
KI (583)
KM (221)
KN (538)
KP (569)
KR (87)
KW (505)
KY (862)
KZ (192)
LA (242)
LB (262)
LC (294)
LI (973)
LK (474)
LR (442)
LS (403)
LT (361)
LU (820)
LV (613)
LY (803)
MA (978)
MC (602)
MD (329)
ME (320)
MF (904)
MG (617)
MH (949)
MK (795)
ML (539)
MM (93)
MN (273)
MO (725)
MP (928)
MQ (132)
MR (655)
MS (298)
MT (975)
MU (179)
MV (579)
MW (826)
MX (163)
MY (334)
MZ (401)
NA (783)
NC (146)
NE (69)
NF (182)
NG (454)
NI (161)
NL (643)
NO (769)
NP (311)
NR (857)
NU (980)
NZ (291)
OM (899)
PA (676)
PE (902)
PF (422)
PG (506)
PH (649)
PK (508)
PL (820)
PM (142)
PN (352)
PR (28)
PS (654)
PT (992)
PW (307)
PY (371)
QA (635)
RE (331)
RO (538)
RS (130)
RU (599)
RW (614)
SA (145)
SB (540)
SC (742)
SD (85)
SE (127)
SG (749)
SH (970)
SI (875)
SJ (713)
SK (599)
SL (341)
SM (487)
SN (161)
SO (938)
SR (629)
SS (87)
ST (858)
SV (19)
SX (890)
SY (564)
SZ (676)
TC (963)
TD (983)
TF (362)
TG (434)
TH (399)
TJ (840)
TK (562)
TL (702)
TM (560)
TN (316)
TO (915)
TR (316)
TT (740)
TV (105)
TW (686)
TZ (358)
UA (601)
UG (473)
UM (563)
US (276)
UY (365)
UZ (719)
VA (116)
VC (659)
VE (30)
VG (289)
VI (857)
VN (580)
VU (1)
WF (8)
WS (936)
XK (297)
YE (868)
YT (22)
ZA (890)
ZM (678)
ZW (192)