Leviathan

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia.[1][2][3]

ID: G0065
Associated Groups: MUDCARP, Kryptonite Panda, Gadolinium, BRONZE MOHAWK, TEMP.Jumper, APT40, TEMP.Periscope, Gingham Typhoon
Contributors: Valerii Marchuk, Cybersecurity Help s.r.o.
Version: 4.0
Created: 18 April 2018
Last Modified: 08 January 2024

Associated Group Descriptions

Name Description
MUDCARP

[1][4]

Kryptonite Panda

[1][5]

Gadolinium

[1][6]

BRONZE MOHAWK

[1][7]

TEMP.Jumper

Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.[1][8]

APT40

FireEye reporting on TEMP.Periscope (which was combined into APT40) indicated TEMP.Periscope was reported upon as Leviathan.[1][2][3][8]

TEMP.Periscope

Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.[1][3][8]

Gingham Typhoon

[9]

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

Leviathan has established domains that impersonate legitimate entities to use for targeting efforts. [1][4]

Enterprise T1560 Archive Collected Data

Leviathan has archived victim's data prior to exfiltration.[1]

Enterprise T1197 BITS Jobs

Leviathan has used BITSAdmin to download additional tools.[3]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.[2][3]

.009 Boot or Logon Autostart Execution: Shortcut Modification

Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.[2][3]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Leviathan has used PowerShell for execution.[2][3][1][4]

.005 Command and Scripting Interpreter: Visual Basic

Leviathan has used VBScript.[2]

Enterprise T1586 .001 Compromise Accounts: Social Media Accounts

Leviathan has compromised social media accounts to conduct social engineering attacks.[1]

.002 Compromise Accounts: Email Accounts

Leviathan has compromised email accounts to conduct social engineering attacks.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

Leviathan has used C:\Windows\Debug and C:\Perflogs as staging directories.[3][1]

.002 Data Staged: Remote Data Staging

Leviathan has staged data remotely prior to exfiltration.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Leviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.[2]

Enterprise T1189 Drive-by Compromise

Leviathan has infected victims using watering holes.[1]

Enterprise T1585 .001 Establish Accounts: Social Media Accounts

Leviathan has created new social media accounts for targeting efforts.[1]

.002 Establish Accounts: Email Accounts

Leviathan has created new email accounts for targeting efforts.[1]

Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Leviathan has used WMI for persistence.[3]

Enterprise T1041 Exfiltration Over C2 Channel

Leviathan has exfiltrated data over its C2 channel.[1]

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.[2][3]

Enterprise T1203 Exploitation for Client Execution

Leviathan has exploited multiple Microsoft Office and .NET vulnerabilities for execution, including CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882.[2][3][1][4]

Enterprise T1133 External Remote Services

Leviathan has used external remote services such as virtual private networks (VPN) to gain initial access.[1]

Enterprise T1589 .001 Gather Victim Identity Information: Credentials

Leviathan has collected compromised credentials to use for targeting efforts.[1]

Enterprise T1105 Ingress Tool Transfer

Leviathan has downloaded additional scripts and files from adversary-controlled servers.[2][3]

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

Leviathan has utilized OLE as a method to insert malicious content inside various phishing documents. [4]

Enterprise T1534 Internal Spearphishing

Leviathan has conducted internal spearphishing within the victim's environment for lateral movement.[1]

Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

Leviathan has inserted garbage characters into code, presumably to avoid anti-virus detection.[2]

.003 Obfuscated Files or Information: Steganography

Leviathan has used steganography to hide stolen data inside other files stored on Github.[1]

.013 Obfuscated Files or Information: Encrypted/Encoded File

Leviathan has obfuscated code using base64 and gzip compression.[2]

Enterprise T1003 OS Credential Dumping

Leviathan has used publicly available tools to dump password hashes, including HOMEFRY.[8]

.001 LSASS Memory

Leviathan has used publicly available tools to dump password hashes, including ProcDump and WCE.[8]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Leviathan has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files.[2][1]

.002 Phishing: Spearphishing Link

Leviathan has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding.[2][1]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Leviathan has utilized techniques like reflective DLL loading to write a DLL into memory and load a shell that provides backdoor access to the victim.[4]

Enterprise T1572 Protocol Tunneling

Leviathan has used protocol tunneling to further conceal C2 communications and infrastructure.[1]

Enterprise T1090 .003 Proxy: Multi-hop Proxy

Leviathan has used multi-hop proxies to disguise the source of their malicious traffic.[1]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Leviathan has targeted RDP credentials and used it to move through the victim environment.[8]

.004 Remote Services: SSH

Leviathan used ssh for internal reconnaissance.[8]

Enterprise T1505 .003 Server Software Component: Web Shell

Leviathan relies on web shells for an initial foothold as well as persistence into the victim's systems.[8][1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Leviathan has used stolen code signing certificates to sign malware.[3][8]

Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

Leviathan has used regsvr32 for execution.[2]

Enterprise T1204 .001 User Execution: Malicious Link

Leviathan has sent spearphishing email links attempting to get a user to click.[2][1]

.002 User Execution: Malicious File

Leviathan has sent spearphishing attachments attempting to get a user to click.[2][1]

Enterprise T1078 Valid Accounts

Leviathan has obtained valid accounts to gain initial access.[1][4]

Enterprise T1102 .003 Web Service: One-Way Communication

Leviathan has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet.[3]

Enterprise T1047 Windows Management Instrumentation

Leviathan has used WMI for execution.[2]

Software

ID Name References Techniques
S0110 at [8] Scheduled Task/Job: At
S0642 BADFLICK [3][4] Archive Collected Data: Archive via Library, Data from Local System, Deobfuscate/Decode Files or Information, File and Directory Discovery, Ingress Tool Transfer, Phishing: Spearphishing Attachment, System Information Discovery, System Network Configuration Discovery, User Execution: Malicious File, Virtualization/Sandbox Evasion: Time Based Evasion
S0190 BITSAdmin [3] BITS Jobs, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, Lateral Tool Transfer
S0069 BLACKCOFFEE [3] Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal: File Deletion, Multi-Stage Channels, Process Discovery, Web Service: Dead Drop Resolver, Web Service: Bidirectional Communication
S0020 China Chopper [3][1][4] Application Layer Protocol: Web Protocols, Brute Force: Password Guessing, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, File and Directory Discovery, Indicator Removal: Timestomp, Ingress Tool Transfer, Network Service Discovery, Obfuscated Files or Information: Software Packing, Server Software Component: Web Shell
S0154 Cobalt Strike [2][3][1] Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol or Service Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Remote Desktop Protocol, Remote Services: SSH, Remote Services: Windows Remote Management, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0021 Derusbi [3][1] Audio Capture, Command and Scripting Interpreter: Unix Shell, Encrypted Channel: Symmetric Cryptography, Fallback Channels, File and Directory Discovery, Indicator Removal: Timestomp, Indicator Removal: File Deletion, Input Capture: Keylogging, Non-Application Layer Protocol, Non-Standard Port, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Screen Capture, System Binary Proxy Execution: Regsvr32, System Information Discovery, System Owner/User Discovery, Video Capture
S0363 Empire [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Automated Collection, Automated Exfiltration, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Browser Information Discovery, Clipboard Data, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain or Tenant Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Code Repository, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Dylib Hijacking, Hijack Execution Flow: DLL Search Order Hijacking, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Native API, Network Service Discovery, Network Share Discovery, Network Sniffing, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0032 gh0st RAT [1] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Fast Flux DNS, Encrypted Channel: Symmetric Cryptography, Encrypted Channel, Hijack Execution Flow: DLL Side-Loading, Indicator Removal: Clear Windows Event Logs, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Application Layer Protocol, Process Discovery, Process Injection, Query Registry, Screen Capture, Shared Modules, System Binary Proxy Execution: Rundll32, System Information Discovery, System Services: Service Execution
S0232 HOMEFRY [3] Command and Scripting Interpreter: Windows Command Shell, Obfuscated Files or Information: Encrypted/Encoded File, OS Credential Dumping
S0233 MURKYTOP [3][1] Account Discovery: Local Account, Command and Scripting Interpreter: Windows Command Shell, Indicator Removal: File Deletion, Network Service Discovery, Network Share Discovery, Permission Groups Discovery, Remote System Discovery, Scheduled Task/Job: At, System Information Discovery
S0228 NanHaiShu [2][1] Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Impair Defenses: Disable or Modify Tools, Indicator Removal: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information: Encrypted/Encoded File, System Binary Proxy Execution: Mshta, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0039 Net [8] Account Discovery: Domain Account, Account Discovery: Local Account, Account Manipulation: Additional Local or Domain Groups, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0229 Orz [2][1][4] Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal, Ingress Tool Transfer, Modify Registry, Obfuscated Files or Information, Process Discovery, Process Injection: Process Hollowing, Software Discovery, System Binary Proxy Execution: Regsvr32, System Information Discovery, System Network Configuration Discovery, Web Service: Bidirectional Communication
S0194 PowerSploit [1] Access Token Manipulation, Account Discovery: Local Account, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Security Support Provider, Command and Scripting Interpreter: PowerShell, Create or Modify System Process: Windows Service, Credentials from Password Stores: Windows Credential Manager, Data from Local System, Domain Trust Discovery, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by Search Order Hijacking, Input Capture: Keylogging, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Reflective Code Loading, Scheduled Task/Job: Scheduled Task, Screen Capture, Steal or Forge Kerberos Tickets: Kerberoasting, Unsecured Credentials: Credentials in Registry, Unsecured Credentials: Group Policy Preferences, Windows Management Instrumentation
S0183 Tor [1] Encrypted Channel: Asymmetric Cryptography, Proxy: Multi-hop Proxy
S0005 Windows Credential Editor [8] OS Credential Dumping: LSASS Memory

References