X

Our website uses cookies to enhance your browsing experience.

CONTINUE TO SITE >

Meet CrowdStrike’s Adversary of the Month for May: MYTHIC LEOPARD

Mthic Leopard May

Community or industry names: Transparent Tribe and C-Major have been associated with this actor.

The May 2018 adversary spotlight is on MYTHIC LEOPARD, a Pakistan-based adversary with operations likely located in Karachi. This adversary uses social engineering and spear phishing to target Indian military and defense entities. Throughout 2016, these actors used custom .NET downloaders to acquire basic system information and download additional payloads to infected hosts. Based on a generally low level of coding complexity, CrowdStrike® assesses this adversary is of below average technical sophistication.

2016 Activities

The CrowdStrike Falcon Intelligence™ team’s tracking of this adversary began in late 2016, when evidence of an attack surfaced against a victim based in India and working in the hospitality sector. The attack used an Excel spreadsheet containing macro code that deployed the previously mentioned simplistic .NET downloader payload. The basic nature of the malicious document and observed coding errors in the downloader payload are the basis for the assessment that this actor demonstrates a low level of technical skills.

2017 Activities

MYTHIC LEOPARD was further observed in 2017 developing methods for disguising custom malware implants. Two binder tools — used to disguise custom executables as legitimate Microsoft implants — were discovered by Falcon Intelligence and linked to MYTHIC LEOPARD in July 2017.

2018 Activities

Since April 2018, Falcon Intelligence has observed ongoing targeted intrusion activity using malicious Microsoft Office Excel documents likely associated with the MYTHIC LEOPARD adversary. As part of this campaign, the adversary leveraged generic themes related to administrative, managerial or supervisory matters alongside a unique Visual Basic Script (VBScript) technique used for installation. Falcon Intelligence has observed MYTHIC LEOPARD using this technique for several years to install multiple first-stage implants and downloaders, including the isqlmanager and Waizsar RAT malware families. However, the use of the UPX packer and timestomping techniques have not previously been associated with this adversary and likely indicates an incremental increase in tradecraft and sophistication.

MYTHIC LEOPARD actors have previously used an indigenously produced .NET obfuscation tool to hide malware implants as legitimate tools. The malicious files visual_HD.exe and skypee.exe both attempt to impersonate a legitimate uTorrent executable once installed and running. Both malicious files use a previously identified MYTHIC LEOPARD command-and-control (C2) domain msupdate.servehttp[.]com. MYTHIC LEOPARD has previously reused old C2 domains across medium to long periods of time, despite operational security concerns.

The related decoy document in this attack simply displays a pay scale without any further identifying information. However, the filename (Pay Matrix Projected After 7th CPC (3).xls) suggests that it is related to India’s 7th Central Pay Commission’s recommendations for government salaries. As noted above, India is within the traditional target scope for this adversary.

Learn More

CrowdStrike Falcon Free Trial

Adam Meyers

Adam Meyers has authored numerous papers for peer-reviewed industry venues and has received awards for his dedication to the information security industry. As Vice President of Intelligence for Crowdstrike, Meyers oversees all of CrowdStrike’s intelligence gathering and cyber-adversarial monitoring activities. Previously, Meyers was the Director of Cyber Security Intelligence with the National Products and Offerings Division of SRA International where he provided technical expertise at the tactical level and strategic guidance on overall security program objectives.

 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial