Leviathan
Associated Group Descriptions |
|
Name | Description |
---|---|
MUDCARP | (Citation: CISA AA21-200A APT40 July 2021)(Citation: Accenture MUDCARP March 2019) |
Kryptonite Panda | (Citation: CISA AA21-200A APT40 July 2021)(Citation: Crowdstrike KRYPTONITE PANDA August 2018) |
Gadolinium | (Citation: CISA AA21-200A APT40 July 2021)(Citation: MSTIC GADOLINIUM September 2020) |
BRONZE MOHAWK | (Citation: CISA AA21-200A APT40 July 2021)(Citation: SecureWorks BRONZE MOHAWK n.d.) |
Gingham Typhoon | (Citation: Microsoft Threat Actor Naming July 2023) |
TEMP.Jumper | Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.(Citation: CISA AA21-200A APT40 July 2021)(Citation: FireEye APT40 March 2019) |
TEMP.Periscope | Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.(Citation: CISA AA21-200A APT40 July 2021)(Citation: FireEye Periscope March 2018)(Citation: FireEye APT40 March 2019) |
APT40 | FireEye reporting on TEMP.Periscope (which was combined into APT40) indicated TEMP.Periscope was reported upon as Leviathan.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)(Citation: FireEye APT40 March 2019) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
Leviathan has established domains that impersonate legitimate entities to use for targeting efforts. (Citation: CISA AA21-200A APT40 July 2021)(Citation: Accenture MUDCARP March 2019) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018) |
.009 | Boot or Logon Autostart Execution: Shortcut Modification |
Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018) |
||
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Leviathan has used PowerShell for execution.(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)(Citation: Accenture MUDCARP March 2019) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Leviathan uses a backdoor known as BADFLICK that is is capable of generating a reverse shell, and has used multiple types of scripting for execution, including JavaScript and JavaScript Scriptlets in XML.(Citation: Proofpoint Leviathan Oct 2017).(Citation: FireEye Periscope March 2018) |
||
.005 | Command and Scripting Interpreter: Visual Basic |
Leviathan has used VBScript.(Citation: Proofpoint Leviathan Oct 2017) |
||
Enterprise | T1586 | .001 | Compromise Accounts: Social Media Accounts |
Leviathan has compromised social media accounts to conduct social engineering attacks.(Citation: CISA AA21-200A APT40 July 2021) |
.002 | Compromise Accounts: Email Accounts |
Leviathan has compromised email accounts to conduct social engineering attacks.(Citation: CISA AA21-200A APT40 July 2021) |
||
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Leviathan has used C:\Windows\Debug and C:\Perflogs as staging directories.(Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021) |
.002 | Data Staged: Remote Data Staging |
Leviathan has staged data remotely prior to exfiltration.(Citation: CISA AA21-200A APT40 July 2021) |
||
Enterprise | T1585 | .001 | Establish Accounts: Social Media Accounts |
Leviathan has created new social media accounts for targeting efforts.(Citation: CISA AA21-200A APT40 July 2021) |
.002 | Establish Accounts: Email Accounts |
Leviathan has created new email accounts for targeting efforts.(Citation: CISA AA21-200A APT40 July 2021) |
||
Enterprise | T1546 | .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
Leviathan has used WMI for persistence.(Citation: FireEye Periscope March 2018) |
Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018) |
Enterprise | T1589 | .001 | Gather Victim Identity Information: Credentials |
Leviathan has collected compromised credentials to use for targeting efforts.(Citation: CISA AA21-200A APT40 July 2021) |
Enterprise | T1559 | .002 | Inter-Process Communication: Dynamic Data Exchange |
Leviathan has utilized OLE as a method to insert malicious content inside various phishing documents. (Citation: Accenture MUDCARP March 2019) |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Leviathan has used publicly available tools to dump password hashes, including ProcDump and WCE.(Citation: FireEye APT40 March 2019) |
Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
Leviathan has inserted garbage characters into code, presumably to avoid anti-virus detection.(Citation: Proofpoint Leviathan Oct 2017) |
.003 | Obfuscated Files or Information: Steganography |
Leviathan has used steganography to hide stolen data inside other files stored on Github.(Citation: CISA AA21-200A APT40 July 2021) |
||
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
Leviathan has obfuscated code using base64 and gzip compression.(Citation: Proofpoint Leviathan Oct 2017) |
||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Leviathan has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files.(Citation: Proofpoint Leviathan Oct 2017)(Citation: CISA AA21-200A APT40 July 2021) |
.002 | Phishing: Spearphishing Link |
Leviathan has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding.(Citation: Proofpoint Leviathan Oct 2017)(Citation: CISA AA21-200A APT40 July 2021) |
||
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Leviathan has utilized techniques like reflective DLL loading to write a DLL into memory and load a shell that provides backdoor access to the victim.(Citation: Accenture MUDCARP March 2019) |
Enterprise | T1090 | .003 | Proxy: Multi-hop Proxy |
Leviathan has used multi-hop proxies to disguise the source of their malicious traffic.(Citation: CISA AA21-200A APT40 July 2021) |
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Leviathan has targeted RDP credentials and used it to move through the victim environment.(Citation: FireEye APT40 March 2019) |
.004 | Remote Services: SSH |
Leviathan used ssh for internal reconnaissance.(Citation: FireEye APT40 March 2019) |
||
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
Leviathan relies on web shells for an initial foothold as well as persistence into the victim's systems.(Citation: FireEye APT40 March 2019)(Citation: CISA AA21-200A APT40 July 2021) |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Leviathan has used stolen code signing certificates to sign malware.(Citation: FireEye Periscope March 2018)(Citation: FireEye APT40 March 2019) |
Enterprise | T1218 | .010 | System Binary Proxy Execution: Regsvr32 |
Leviathan has used regsvr32 for execution.(Citation: Proofpoint Leviathan Oct 2017) |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
Leviathan has sent spearphishing email links attempting to get a user to click.(Citation: Proofpoint Leviathan Oct 2017)(Citation: CISA AA21-200A APT40 July 2021) |
.002 | User Execution: Malicious File |
Leviathan has sent spearphishing attachments attempting to get a user to click.(Citation: Proofpoint Leviathan Oct 2017)(Citation: CISA AA21-200A APT40 July 2021) |
||
Enterprise | T1102 | .003 | Web Service: One-Way Communication |
Leviathan has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet.(Citation: FireEye Periscope March 2018) |
References
- Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019.
- CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
- Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
- Adam Kozy. (2018, August 30). Two Birds, One Stone Panda. Retrieved August 24, 2021.
- Ben Koehl, Joe Hannon. (2020, September 24). Microsoft Security - Detecting Empires in the Cloud. Retrieved August 24, 2021.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
- SecureWorks. (n.d.). Threat Profile - BRONZE MOHAWK. Retrieved August 24, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.