Mysterious Elephant emerged in Asia |
Abstract
In 2023, we came across an interesting attack campaign targeting government entities in Central Asia. The attacks were delivered via multiple infection vectors and only after conducting local system reconnaissance the final payloads were downloaded and deployed. The final payloads were chosen from a range of RAT families and backdoor modules. Additionally multiple infostealers and post exploitation tools were deployed on the victims machines. However, what made this case interesting was the challenge of attribution. The attacks had utilised new versions of known malware families, while different malware families were previously associated with separate threat actors such as the Sidewinder and the OrigamiElephant. Moreover, a number of public reports from other research groups had attributed similar malware samples to the Confucius threat actor. At this point, we already had at least three suspected threat actors. During our analysis we realised that the attacks were not delivered by any of those previously known actors, but by a new threat actor that we called MysteriousElephant. Since we first discovered Mysterious Elephant in 2023, the threat actor has remained active. They have expanded their victims' profile to multiple new countries. They have also developed new tools and new techniques for their most recent attacks. In this talk, we will learn about the tactics, techniques, and procedures (TTPs) of this relatively new threat actor. We will also discuss the attribution challenges that we faced during the initial investigation of this group. The lessons learned from these challenges can be applied to other threat research cases as more threat actors are moving away from using their own bespoke tools which will result in similar challenges in attribution. Speaker Bio: Noushin Shabab is a lead security researcher in the Global Research & Analysis Team (GReAT) at Kaspersky. Her research focuses on the investigation of advanced targeted attacks with a particular focus on local threats in the Asia Pacific region. Noushin is very active in the cybersecurity community where she regularly presents at various security conferences and also delivers technical workshops. Some of her previous conference presentations include Virus Bulletin, Black Hat ASIA, AusCERT, SAS, 0xCC, MRE, Ruxcon, Kawaiicon and various BSides events. Noushin has designed and developed Malware Analysis labs for the new Malware Analysis unit at Swinburne University. She is an industry supervisor at Federation University, has been a guest lecturer at RMIT University, Melbourne Institute of Technology and the University of Guelph, Canada. Noushin is a Black Hat Arsenal Review Board member and also a member of the Australian Women in Security Network (AWSN). |