Insights, news, education and announcements from PolySwarm

Mythic Leopard Uses CapraRAT to Target Indian Government Officials

Written by PolySwarm Tech Team | Feb 22, 2022 8:20:55 PM

PolySwarm Threat Bulletin


Background

Cyble recently released a deep dive analysis of Mythic Leopard espionage activity leveraging CapraRAT Android spyware. This campaign targeted Indian government officials.


Who is Mythic Leopard?

Mythic Leopard, also known as APT36 and Transparent Tribe, is a Pakistan-based threat actor active since at least 2013. They are typically known for espionage activity, primarily targeting India’s government and military.

Mythic Leopard TTPs include social engineering, phishing, maldocs, BreachRAT, DarkComet, Luminosity RAT, njRAT, Crimson RAT, and ObliqueRAT. They are known to target both Windows systems and Android devices. In recent years, they have used Android malware masquerading as a legitimate application. In 2020, Mythic Leopard used a spyware app masquerading as Aarogya Setu. Aarogya Setu is a legitimate app released by the Indian government to track COVID-19 cases.

Details

Cyble does not describe the initial infection vector allowing CapraRAT to be installed on a user’s Android device. However, Mythic Leopard has used phishing lures and social engineering as an entry point in the past.
CapraRAT masquerades as Android Services. When the app is opened, CapraRAT’s icon is hidden from the user, and it communicates with the C2 at hxxp://android.viral91[.]xyz/admin/webservices. CapraRAT requests 21 permissions, including but not limited to reading, sending, and receiving text messages, accessing the call log, accessing contacts, recording audio, accessing location information based on both GPS and cellular or WiFi networks, initiating a phone call, writing or deleting files on external storage, and processing outgoing calls. It also requests permission to read phone state, which allows it to detect the device’s current cellular network, obtain the mobile number and IMEI, and obtain a list of any phone accounts registered to the device.

CapraRAT is capable of stealing call logs, contacts, text messages, and location data. It can take screenshots of user activity, take photos, record calls, and use the phone’s microphone. CapraRAT can also update itself. CapraRAT communicates with the C2 to receive commands and exfiltrate collected data.

IOCs
PolySwarm has the sample associated with Mythic Leopard’s CapraRAT.

Hashes
d9979a41027fe790399edebe5ef8765f61e1eb1a4ee1d11690b4c2a0aa38ae42

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports
View full post