Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Leviathan
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Leviathan
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Leviathan

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.(Citation: CISA AA21-200A APT40 July 2021) Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)
ID: G0065
Associated Groups: MUDCARP, Kryptonite Panda, Gadolinium, BRONZE MOHAWK, TEMP.Jumper, TEMP.Periscope, APT40
Version: 3.0
Created: 18 Apr 2018
Last Modified: 15 Apr 2022

Associated Group Descriptions
Name Description
MUDCARP (Citation: CISA AA21-200A APT40 July 2021)(Citation: Accenture MUDCARP March 2019)
Kryptonite Panda (Citation: CISA AA21-200A APT40 July 2021)(Citation: Crowdstrike KRYPTONITE PANDA August 2018)
Gadolinium (Citation: CISA AA21-200A APT40 July 2021)(Citation: MSTIC GADOLINIUM September 2020)
BRONZE MOHAWK (Citation: CISA AA21-200A APT40 July 2021)(Citation: SecureWorks BRONZE MOHAWK n.d.)
TEMP.Jumper Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.(Citation: CISA AA21-200A APT40 July 2021)(Citation: FireEye APT40 March 2019)
TEMP.Periscope Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.(Citation: CISA AA21-200A APT40 July 2021)(Citation: FireEye Periscope March 2018)(Citation: FireEye APT40 March 2019)
APT40 FireEye reporting on TEMP.Periscope (which was combined into APT40) indicated TEMP.Periscope was reported upon as Leviathan.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)(Citation: FireEye APT40 March 2019)

Techniques Used
Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

Leviathan has established domains that impersonate legitimate entities to use for targeting efforts. (Citation: CISA AA21-200A APT40 July 2021)(Citation: Accenture MUDCARP March 2019)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)
.009 Boot or Logon Autostart Execution: Shortcut Modification

Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Leviathan has used PowerShell for execution.(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)(Citation: Accenture MUDCARP March 2019)
.003 Command and Scripting Interpreter: Windows Command Shell

Leviathan uses a backdoor known as BADFLICK that is is capable of generating a reverse shell, and has used multiple types of scripting for execution, including JavaScript and JavaScript Scriptlets in XML.(Citation: Proofpoint Leviathan Oct 2017).(Citation: FireEye Periscope March 2018)

.005 Command and Scripting Interpreter: Visual Basic

Leviathan has used VBScript.(Citation: Proofpoint Leviathan Oct 2017)

Enterprise T1586 .001 Compromise Accounts: Social Media Accounts

Leviathan has compromised social media accounts to conduct social engineering attacks.(Citation: CISA AA21-200A APT40 July 2021)
.002 Compromise Accounts: Email Accounts

Leviathan has compromised email accounts to conduct social engineering attacks.(Citation: CISA AA21-200A APT40 July 2021)

Enterprise T1074 .001 Data Staged: Local Data Staging

Leviathan has used C:\Windows\Debug and C:\Perflogs as staging directories.(Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)
.002 Data Staged: Remote Data Staging

Leviathan has staged data remotely prior to exfiltration.(Citation: CISA AA21-200A APT40 July 2021)

Enterprise T1585 .001 Establish Accounts: Social Media Accounts

Leviathan has created new social media accounts for targeting efforts.(Citation: CISA AA21-200A APT40 July 2021)
.002 Establish Accounts: Email Accounts

Leviathan has created new email accounts for targeting efforts.(Citation: CISA AA21-200A APT40 July 2021)

Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Leviathan has used WMI for persistence.(Citation: FireEye Periscope March 2018)
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)
Enterprise T1589 .001 Gather Victim Identity Information: Credentials

Leviathan has collected compromised credentials to use for targeting efforts.(Citation: CISA AA21-200A APT40 July 2021)
Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

Leviathan has utilized OLE as a method to insert malicious content inside various phishing documents. (Citation: Accenture MUDCARP March 2019)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Leviathan has used publicly available tools to dump password hashes, including ProcDump and WCE.(Citation: FireEye APT40 March 2019)
Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

Leviathan has inserted garbage characters into code, presumably to avoid anti-virus detection.(Citation: Proofpoint Leviathan Oct 2017)
.003 Obfuscated Files or Information: Steganography

Leviathan has used steganography to hide stolen data inside other files stored on Github.(Citation: CISA AA21-200A APT40 July 2021)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Leviathan has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files.(Citation: Proofpoint Leviathan Oct 2017)(Citation: CISA AA21-200A APT40 July 2021)
.002 Phishing: Spearphishing Link

Leviathan has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding.(Citation: Proofpoint Leviathan Oct 2017)(Citation: CISA AA21-200A APT40 July 2021)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Leviathan has utilized techniques like reflective DLL loading to write a DLL into memory and load a shell that provides backdoor access to the victim.(Citation: Accenture MUDCARP March 2019)
Enterprise T1090 .003 Proxy: Multi-hop Proxy

Leviathan has used multi-hop proxies to disguise the source of their malicious traffic.(Citation: CISA AA21-200A APT40 July 2021)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Leviathan has targeted RDP credentials and used it to move through the victim environment.(Citation: FireEye APT40 March 2019)

.004 Remote Services: SSH

Leviathan used ssh for internal reconnaissance.(Citation: FireEye APT40 March 2019)

Enterprise T1505 .003 Server Software Component: Web Shell

Leviathan relies on web shells for an initial foothold as well as persistence into the victim's systems.(Citation: FireEye APT40 March 2019)(Citation: CISA AA21-200A APT40 July 2021)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Leviathan has used stolen code signing certificates to sign malware.(Citation: FireEye Periscope March 2018)(Citation: FireEye APT40 March 2019)
Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

Leviathan has used regsvr32 for execution.(Citation: Proofpoint Leviathan Oct 2017)
Enterprise T1204 .001 User Execution: Malicious Link

Leviathan has sent spearphishing email links attempting to get a user to click.(Citation: Proofpoint Leviathan Oct 2017)(Citation: CISA AA21-200A APT40 July 2021)
.002 User Execution: Malicious File

Leviathan has sent spearphishing attachments attempting to get a user to click.(Citation: Proofpoint Leviathan Oct 2017)(Citation: CISA AA21-200A APT40 July 2021)

Enterprise T1102 .003 Web Service: One-Way Communication

Leviathan has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet.(Citation: FireEye Periscope March 2018)

Software
ID Name References Techniques
S0039 Net (Citation: FireEye APT40 March 2019) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Local Groups, SMB/Windows Admin Shares, Domain Account
S0233 MURKYTOP (Citation: CISA AA21-200A APT40 July 2021) (Citation: FireEye Periscope March 2018) Remote System Discovery, System Information Discovery, File Deletion, Windows Command Shell, Permission Groups Discovery, At, Network Share Discovery, Network Service Discovery, Local Account
S0229 Orz (Citation: Accenture MUDCARP March 2019) (Citation: AIRBREAK) (Citation: CISA AA21-200A APT40 July 2021) (Citation: FireEye Periscope March 2018) (Citation: Proofpoint Leviathan Oct 2017) File and Directory Discovery, Windows Command Shell, Regsvr32, Bidirectional Communication, Process Discovery, System Information Discovery, Indicator Removal, Software Discovery, Ingress Tool Transfer, Modify Registry, System Network Configuration Discovery, Process Hollowing, Obfuscated Files or Information
S0110 at (Citation: FireEye APT40 March 2019) (Citation: Linux at) (Citation: TechNet At) At
S0194 PowerSploit (Citation: CISA AA21-200A APT40 July 2021) (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation) Path Interception by PATH Environment Variable, Keylogging, Reflective Code Loading, Credentials in Registry, Indicator Removal from Tools, Audio Capture, Windows Management Instrumentation, Path Interception by Unquoted Path, Query Registry, Data from Local System, Group Policy Preferences, Path Interception, Dynamic-link Library Injection, Obfuscated Files or Information, Access Token Manipulation, Windows Service, Screen Capture, Registry Run Keys / Startup Folder, Scheduled Task, DLL Search Order Hijacking, Path Interception by Search Order Hijacking, Kerberoasting, Local Account, Security Support Provider, Process Discovery, Windows Credential Manager, PowerShell, Domain Trust Discovery, LSASS Memory
S0005 Windows Credential Editor (Citation: Amplia WCE) (Citation: FireEye APT40 March 2019) LSASS Memory
S0363 Empire (Citation: CISA AA21-200A APT40 July 2021) (Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) Video Capture, Distributed Component Object Model, LLMNR/NBT-NS Poisoning and SMB Relay, System Network Configuration Discovery, PowerShell, Domain Trust Discovery, Keylogging, Obfuscated Files or Information, Local Account, Screen Capture, Network Service Discovery, Credentials In Files, Archive Collected Data, Group Policy Modification, Exfiltration Over C2 Channel, Commonly Used Port, System Information Discovery, Clipboard Data, Exploitation for Privilege Escalation, Automated Exfiltration, Accessibility Features, Automated Collection, Group Policy Discovery, Domain Account, Security Support Provider, SSH, Kerberoasting, SID-History Injection, Path Interception by Unquoted Path, Registry Run Keys / Startup Folder, Network Share Discovery, Path Interception by Search Order Hijacking, Golden Ticket, Exploitation of Remote Services, Service Execution, Exfiltration to Code Repository, File and Directory Discovery, Credential API Hooking, Path Interception by PATH Environment Variable, Native API, Windows Management Instrumentation, Process Injection, Pass the Hash, Browser Bookmark Discovery, MSBuild, Private Keys, Exfiltration to Cloud Storage, Web Protocols, Access Token Manipulation, Network Sniffing, Local Email Collection, Windows Command Shell, Bidirectional Communication, Credentials from Web Browsers, Security Software Discovery, Local Account, Dylib Hijacking, System Network Connections Discovery, Scheduled Task, LSASS Memory, Asymmetric Cryptography, Create Process with Token, Windows Service, Command and Scripting Interpreter, Process Discovery, Ingress Tool Transfer, Timestomp, Shortcut Modification, DLL Search Order Hijacking, Domain Account, System Owner/User Discovery, Bypass User Account Control, Silver Ticket
S0642 BADFLICK (Citation: Accenture MUDCARP March 2019) (Citation: FireEye Periscope March 2018) System Information Discovery, Archive via Library, File and Directory Discovery, Malicious File, Data from Local System, Spearphishing Attachment, Time Based Evasion, System Network Configuration Discovery, Ingress Tool Transfer, Deobfuscate/Decode Files or Information
S0020 China Chopper (Citation: Accenture MUDCARP March 2019) (Citation: CISA AA21-200A APT40 July 2021) (Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018) (Citation: Lee 2013) Password Guessing, Data from Local System, Software Packing, Windows Command Shell, Web Protocols, Ingress Tool Transfer, Network Service Discovery, Timestomp, Web Shell, File and Directory Discovery
S0190 BITSAdmin (Citation: FireEye Periscope March 2018) (Citation: Microsoft BITSAdmin) Lateral Tool Transfer, Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, BITS Jobs
S0228 NanHaiShu (Citation: CISA AA21-200A APT40 July 2021) (Citation: fsecure NanHaiShu July 2016) (Citation: Proofpoint Leviathan Oct 2017) Obfuscated Files or Information, JavaScript, Visual Basic, System Network Configuration Discovery, Disable or Modify Tools, Ingress Tool Transfer, File Deletion, Mshta, DNS, Registry Run Keys / Startup Folder, System Information Discovery, System Owner/User Discovery
S0232 HOMEFRY (Citation: FireEye Periscope March 2018) OS Credential Dumping, Obfuscated Files or Information, Windows Command Shell
S0032 gh0st RAT (Citation: Arbor Musical Chairs Feb 2018) (Citation: CISA AA21-200A APT40 July 2021) (Citation: FireEye Hacking Team) (Citation: Moudoor) (Citation: Mydoor) (Citation: Nccgroup Gh0st April 2018) (Citation: Novetta-Axiom) Shared Modules, Modify Registry, Ingress Tool Transfer, Process Injection, Rundll32, Service Execution, DLL Side-Loading, Command and Scripting Interpreter, Query Registry, Deobfuscate/Decode Files or Information, Symmetric Cryptography, Non-Application Layer Protocol, Native API, Process Discovery, Windows Service, Registry Run Keys / Startup Folder, Clear Windows Event Logs, System Information Discovery, File Deletion, Screen Capture, Fast Flux DNS, Keylogging, Standard Encoding, Encrypted Channel
S0021 Derusbi (Citation: CISA AA21-200A APT40 July 2021) (Citation: Fidelis Turbo) (Citation: FireEye Periscope March 2018) (Citation: Novetta-Axiom) (Citation: PHOTO) (Citation: ThreatConnect Anthem) Keylogging, Unix Shell, Regsvr32, System Information Discovery, Timestomp, Dynamic-link Library Injection, Custom Command and Control Protocol, File Deletion, Non-Standard Port, Symmetric Cryptography, System Owner/User Discovery, Audio Capture, File and Directory Discovery, Commonly Used Port, Fallback Channels, Non-Application Layer Protocol, Screen Capture, Video Capture, Process Discovery, Query Registry
S0154 Cobalt Strike (Citation: CISA AA21-200A APT40 July 2021) (Citation: cobaltstrike manual) (Citation: FireEye Periscope March 2018) (Citation: Proofpoint Leviathan Oct 2017) Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, Application Layer Protocol, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information
S0069 BLACKCOFFEE (Citation: FireEye APT17) (Citation: FireEye Periscope March 2018) File and Directory Discovery, Multi-Stage Channels, Windows Command Shell, Process Discovery, Dead Drop Resolver, File Deletion, Bidirectional Communication
S0183 Tor (Citation: CISA AA21-200A APT40 July 2021) (Citation: Dingledine Tor The Second-Generation Onion Router) Asymmetric Cryptography, Multi-hop Proxy

References

  1. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  2. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  3. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  4. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
  5. Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019.
  6. Adam Kozy. (2018, August 30). Two Birds, One Stone Panda. Retrieved August 24, 2021.
  7. Ben Koehl, Joe Hannon. (2020, September 24). Microsoft Security - Detecting Empires in the Cloud. Retrieved August 24, 2021.
  8. SecureWorks. (n.d.). Threat Profile - BRONZE MOHAWK. Retrieved August 24, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.