ATK64

ATK64 (aka: MYTHIC LEOPARD) is a Pakistan-based adversary with operations likely located in Karachi. This adversary uses social engineering and spear phishing to target Indian military and defense entities. Throughout 2016, these actors used custom .NET downloaders to acquire basic system information and download additional payloads to infected hosts. Based on a generally low level of coding complexity, CrowdStrike® assesses this adversary is of below average technical sophistication.

 

The CrowdStrike Falcon Intelligence™ team’s tracking of this adversary began in late 2016, when evidence of an attack surfaced against a victim based in India and working in the hospitality sector. The attack used an Excel spreadsheet containing macro code that deployed the previously mentioned simplistic .NET downloader payload. The basic nature of the malicious document and observed coding errors in the downloader payload are the basis for the assessment that this actor demonstrates a low level of technical skills.

 

MYTHIC LEOPARD was further observed in 2017 developing methods for disguising custom malware implants. Two binder tools — used to disguise custom executables as legitimate Microsoft implants — were discovered by Falcon Intelligence and linked to MYTHIC LEOPARD in July 2017.

 

Since April 2018, Falcon Intelligence has observed ongoing targeted intrusion activity using malicious Microsoft Office Excel documents likely associated with the MYTHIC LEOPARD adversary. As part of this campaign, the adversary leveraged generic themes related to administrative, managerial or supervisory matters alongside a unique Visual Basic Script (VBScript) technique used for installation. Falcon Intelligence has observed MYTHIC LEOPARD using this technique for several years to install multiple first-stage implants and downloaders, including the isqlmanager and Waizsar RAT malware families. However, the use of the UPX packer and timestomping techniques have not previously been associated with this adversary and likely indicates an incremental increase in tradecraft and sophistication.

 

MYTHIC LEOPARD actors have previously used an indigenously produced .NET obfuscation tool to hide malware implants as legitimate tools. The malicious files visual_HD.exe and skypee.exe both attempt to impersonate a legitimate uTorrent executable once installed and running. Both malicious files use a previously identified MYTHIC LEOPARD command-and-control (C2) domain msupdate.servehttp[.]com. MYTHIC LEOPARD has previously reused old C2 domains across medium to long periods of time, despite operational security concerns.

 

The related decoy document in this attack simply displays a pay scale without any further identifying information. However, the filename (Pay Matrix Projected After 7th CPC (3).xls) suggests that it is related to India’s 7th Central Pay Commission’s recommendations for government salaries. As noted above, India is within the traditional target scope for this adversary.