Community or industry names: Transparent Tribe and C-Major have been associated with this actor.
The May 2018 adversary spotlight is on MYTHIC LEOPARD, a Pakistan-based adversary with operations likely located in Karachi. This adversary uses social engineering and spear phishing to target Indian military and defense entities. Throughout 2016, these actors used custom .NET downloaders to acquire basic system information and download additional payloads to infected hosts. Based on a generally low level of coding complexity, CrowdStrike® assesses this adversary is of below average technical sophistication.
The CrowdStrike Falcon Intelligence™ team’s tracking of this adversary began in late 2016, when evidence of an attack surfaced against a victim based in India and working in the hospitality sector. The attack used an Excel spreadsheet containing macro code that deployed the previously mentioned simplistic .NET downloader payload. The basic nature of the malicious document and observed coding errors in the downloader payload are the basis for the assessment that this actor demonstrates a low level of technical skills.
MYTHIC LEOPARD was further observed in 2017 developing methods for disguising custom malware implants. Two binder tools — used to disguise custom executables as legitimate Microsoft implants — were discovered by Falcon Intelligence and linked to MYTHIC LEOPARD in July 2017.
Since April 2018, Falcon Intelligence has observed ongoing targeted intrusion activity using malicious Microsoft Office Excel documents likely associated with the MYTHIC LEOPARD adversary. As part of this campaign, the adversary leveraged generic themes related to administrative, managerial or supervisory matters alongside a unique Visual Basic Script (VBScript) technique used for installation. Falcon Intelligence has observed MYTHIC LEOPARD using this technique for several years to install multiple first-stage implants and downloaders, including the isqlmanager and Waizsar RAT malware families. However, the use of the UPX packer and timestomping techniques have not previously been associated with this adversary and likely indicates an incremental increase in tradecraft and sophistication.
MYTHIC LEOPARD actors have previously used an indigenously produced .NET obfuscation tool to hide malware implants as legitimate tools. The malicious files visual_HD.exe and skypee.exe both attempt to impersonate a legitimate uTorrent executable once installed and running. Both malicious files use a previously identified MYTHIC LEOPARD command-and-control (C2) domain msupdate.servehttp[.]com. MYTHIC LEOPARD has previously reused old C2 domains across medium to long periods of time, despite operational security concerns.
The related decoy document in this attack simply displays a pay scale without any further identifying information. However, the filename (Pay Matrix Projected After 7th CPC (3).xls) suggests that it is related to India’s 7th Central Pay Commission’s recommendations for government salaries. As noted above, India is within the traditional target scope for this adversary.
- Curious about other nation-state adversaries? Visit our threat actor center to learn about the new adversaries that the CrowdStrike team discovers.
- To learn more about how to incorporate intelligence on threat actors like MYTHIC LEOPARD into your security strategy, please visit the Falcon Intelligence product page.
- Want the insights on the latest adversary tactics, techniques, and procedures (TTPs)? Download the CrowdStrike 2019 Global Threat Report: Adversary Tradecraft and The Importance of Speed