Attack Details:
– Uses Hajj-themed bait to deceive victims
– Delivers malware through Microsoft CHM files
– Targets primarily Pakistani entities
– Active since 2022
Technical Aspects:
– Attack delivers two files:
1. A CHM file (appearing as 2024 Hajj policy information)
2. A hidden executable
– Shows legitimate Pakistan Ministry document as decoy
– Executes malicious payload in background
– Uses cmd shell to connect with remote server
Malware Evolution:
– Four versions of Asyncshell identified
– Capabilities include cmd and PowerShell command execution
– Shifted from TCP to HTTPS for C2 communications
– Exploits WinRAR vulnerability (CVE-2023-38831)
– Implements variable C2 addresses instead of fixed ones
The group shares similarities with other regional threat actors (SideWinder, Confucius, and Bitter) and demonstrates increasing sophistication in their attack methodologies and tool development.
This summary maintains the critical information while presenting it in a more structured and accessible format.