PolySwarm Threat Bulletin
Cyble recently released a deep dive analysis of Mythic Leopard espionage activity leveraging CapraRAT Android spyware. This campaign targeted Indian government officials.
Who is Mythic Leopard?
Mythic Leopard, also known as APT36 and Transparent Tribe, is a Pakistan-based threat actor active since at least 2013. They are typically known for espionage activity, primarily targeting India’s government and military.
Mythic Leopard TTPs include social engineering, phishing, maldocs, BreachRAT, DarkComet, Luminosity RAT, njRAT, Crimson RAT, and ObliqueRAT. They are known to target both Windows systems and Android devices. In recent years, they have used Android malware masquerading as a legitimate application. In 2020, Mythic Leopard used a spyware app masquerading as Aarogya Setu. Aarogya Setu is a legitimate app released by the Indian government to track COVID-19 cases.
Cyble does not describe the initial infection vector allowing CapraRAT to be installed on a user’s Android device. However, Mythic Leopard has used phishing lures and social engineering as an entry point in the past.
CapraRAT masquerades as Android Services. When the app is opened, CapraRAT’s icon is hidden from the user, and it communicates with the C2 at hxxp://android.viral91[.]xyz/admin/webservices. CapraRAT requests 21 permissions, including but not limited to reading, sending, and receiving text messages, accessing the call log, accessing contacts, recording audio, accessing location information based on both GPS and cellular or WiFi networks, initiating a phone call, writing or deleting files on external storage, and processing outgoing calls. It also requests permission to read phone state, which allows it to detect the device’s current cellular network, obtain the mobile number and IMEI, and obtain a list of any phone accounts registered to the device.
CapraRAT is capable of stealing call logs, contacts, text messages, and location data. It can take screenshots of user activity, take photos, record calls, and use the phone’s microphone. CapraRAT can also update itself. CapraRAT communicates with the C2 to receive commands and exfiltrate collected data.
PolySwarm has the sample associated with Mythic Leopard’s CapraRAT.