Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia.[1][2][3]
Name | Description |
---|---|
MUDCARP | |
Kryptonite Panda | |
Gadolinium | |
BRONZE MOHAWK | |
TEMP.Jumper |
Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.[1][8] |
APT40 |
FireEye reporting on TEMP.Periscope (which was combined into APT40) indicated TEMP.Periscope was reported upon as Leviathan.[1][2][3][8] |
TEMP.Periscope |
Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.[1][3][8] |
Gingham Typhoon |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
Leviathan has established domains that impersonate legitimate entities to use for targeting efforts. [1][4] |
Enterprise | T1560 | Archive Collected Data |
Leviathan has archived victim's data prior to exfiltration.[1] |
|
Enterprise | T1197 | BITS Jobs |
Leviathan has used BITSAdmin to download additional tools.[3] |
|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.[2][3] |
.009 | Boot or Logon Autostart Execution: Shortcut Modification |
Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.[2][3] |
||
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell | |
.005 | Command and Scripting Interpreter: Visual Basic | |||
Enterprise | T1586 | .001 | Compromise Accounts: Social Media Accounts |
Leviathan has compromised social media accounts to conduct social engineering attacks.[1] |
.002 | Compromise Accounts: Email Accounts |
Leviathan has compromised email accounts to conduct social engineering attacks.[1] |
||
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Leviathan has used C:\Windows\Debug and C:\Perflogs as staging directories.[3][1] |
.002 | Data Staged: Remote Data Staging |
Leviathan has staged data remotely prior to exfiltration.[1] |
||
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Leviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.[2] |
|
Enterprise | T1189 | Drive-by Compromise | ||
Enterprise | T1585 | .001 | Establish Accounts: Social Media Accounts |
Leviathan has created new social media accounts for targeting efforts.[1] |
.002 | Establish Accounts: Email Accounts |
Leviathan has created new email accounts for targeting efforts.[1] |
||
Enterprise | T1546 | .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription | |
Enterprise | T1041 | Exfiltration Over C2 Channel | ||
Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.[2][3] |
Enterprise | T1203 | Exploitation for Client Execution |
Leviathan has exploited multiple Microsoft Office and .NET vulnerabilities for execution, including CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882.[2][3][1][4] |
|
Enterprise | T1133 | External Remote Services |
Leviathan has used external remote services such as virtual private networks (VPN) to gain initial access.[1] |
|
Enterprise | T1589 | .001 | Gather Victim Identity Information: Credentials |
Leviathan has collected compromised credentials to use for targeting efforts.[1] |
Enterprise | T1105 | Ingress Tool Transfer |
Leviathan has downloaded additional scripts and files from adversary-controlled servers.[2][3] |
|
Enterprise | T1559 | .002 | Inter-Process Communication: Dynamic Data Exchange |
Leviathan has utilized OLE as a method to insert malicious content inside various phishing documents. [4] |
Enterprise | T1534 | Internal Spearphishing |
Leviathan has conducted internal spearphishing within the victim's environment for lateral movement.[1] |
|
Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
Leviathan has inserted garbage characters into code, presumably to avoid anti-virus detection.[2] |
.003 | Obfuscated Files or Information: Steganography |
Leviathan has used steganography to hide stolen data inside other files stored on Github.[1] |
||
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
Leviathan has obfuscated code using base64 and gzip compression.[2] |
||
Enterprise | T1003 | OS Credential Dumping |
Leviathan has used publicly available tools to dump password hashes, including HOMEFRY.[8] |
|
.001 | LSASS Memory |
Leviathan has used publicly available tools to dump password hashes, including ProcDump and WCE.[8] |
||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Leviathan has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files.[2][1] |
.002 | Phishing: Spearphishing Link |
Leviathan has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding.[2][1] |
||
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Leviathan has utilized techniques like reflective DLL loading to write a DLL into memory and load a shell that provides backdoor access to the victim.[4] |
Enterprise | T1572 | Protocol Tunneling |
Leviathan has used protocol tunneling to further conceal C2 communications and infrastructure.[1] |
|
Enterprise | T1090 | .003 | Proxy: Multi-hop Proxy |
Leviathan has used multi-hop proxies to disguise the source of their malicious traffic.[1] |
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Leviathan has targeted RDP credentials and used it to move through the victim environment.[8] |
.004 | Remote Services: SSH | |||
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
Leviathan relies on web shells for an initial foothold as well as persistence into the victim's systems.[8][1] |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Leviathan has used stolen code signing certificates to sign malware.[3][8] |
Enterprise | T1218 | .010 | System Binary Proxy Execution: Regsvr32 | |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
Leviathan has sent spearphishing email links attempting to get a user to click.[2][1] |
.002 | User Execution: Malicious File |
Leviathan has sent spearphishing attachments attempting to get a user to click.[2][1] |
||
Enterprise | T1078 | Valid Accounts |
Leviathan has obtained valid accounts to gain initial access.[1][4] |
|
Enterprise | T1102 | .003 | Web Service: One-Way Communication |
Leviathan has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet.[3] |
Enterprise | T1047 | Windows Management Instrumentation |