In the dynamic battlefield of cyberspace, the emergence of new Advanced Persistent Threats (APTs) is a relentless challenge. APT-K-47, dubbed "Mysterious Elephant," has recently surfaced in South Asia, particularly targeting Pakistan. This blog post unravels the intricate details of this new APT organization, offering insights into its tactics, techniques, and procedures (TTPs).
The Anatomy of the Attack Chain
The attack chain of APT-K-47, known as "Mysterious Elephant," is a masterclass in precision and stealth. This section dissects the various stages of the attack, from the initial bait to the final strike, providing a comprehensive view of how this new APT organization in South Asia orchestrates its cyber onslaught.
Phishing Email: The Bait
The attack commences with a phishing email containing a CHM file, masquerading as content from the "Russia-China Committee for Friendship, Peace, and Development."
Malicious CHM File: The Hook
The CHM file's malicious component, doc.html, creates a scheduled task running every 15 minutes, downloading and executing a second-order malicious program.
Second-Order Attack: The Strike
The second-order MSI file harbors a black file (ORPCBackdoor) and a white file (Microsoft's official service file), with the latter launching the former.
Multi-Country Targeting: The Scope
Contrary to initial reports, the attack targets multiple countries, not just Pakistan, as evidenced by the phishing file's content and Knownsec's remote sensing mapping big data.