Leviathan

Leviathan is a cyber espionage group that has been active since at least 2013. The group generally targets defense and government organizations, but has also targeted a range of industries including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities in the United States, Western Europe, and along the South China Sea. [1] [2]

ID: G0065
Associated Groups: TEMP.Jumper, APT40, TEMP.Periscope
Contributors: Valerii Marchuk, Cybersecurity Help s.r.o.
Version: 2.1
Created: 18 April 2018
Last Modified: 30 March 2020

Associated Group Descriptions

Name Description
TEMP.Jumper

Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.[3]

APT40

The group identified by Proofpoint as Leviathan appears to significantly overlap with FireEye's reporting on APT40. Additionally, FireEye reporting on TEMP.Periscope (which was combined into APT40) indicated TEMP.Periscope was reported upon as Leviathan.[2][3][1]

TEMP.Periscope

Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.[2][3]

Techniques Used

Domain ID Name Use
Enterprise T1197 BITS Jobs

Leviathan has used BITSAdmin to download additional tools.[2]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.[1][2]

.009 Boot or Logon Autostart Execution: Shortcut Modification

Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.[1][2]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Leviathan uses a backdoor known as BADFLICK that is is capable of generating a reverse shell, and has used multiple types of scripting for execution, including JavaScript and JavaScript Scriptlets in XML.[1].[2]

.005 Command and Scripting Interpreter: Visual Basic

Leviathan has used VBScript.[1]

.001 Command and Scripting Interpreter: PowerShell

Leviathan has used PowerShell for execution.[1][2]

Enterprise T1074 .001 Data Staged: Local Data Staging

Leviathan has used C:\Windows\Debug and C:\Perflogs as staging directories.[2]

Enterprise T1140 Deobfuscate/Decode Files or Information

Leviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.[1]

Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Leviathan has used WMI for persistence.[2]

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.[1][2]

Enterprise T1203 Exploitation for Client Execution

Leviathan has exploited multiple Microsoft Office and .NET vulnerabilities for execution, including CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882.[1][2]

Enterprise T1105 Ingress Tool Transfer

Leviathan has downloaded additional scripts and files from adversary-controlled servers.[1][2]

Enterprise T1027 Obfuscated Files or Information

Leviathan has obfuscated code using base64 and gzip compression.[1]

.001 Binary Padding

Leviathan has inserted garbage characters into code, presumably to avoid anti-virus detection.[1]

Enterprise T1003 OS Credential Dumping

Leviathan has used publicly available tools to dump password hashes, including HOMEFRY. [3]

.001 LSASS Memory

Leviathan has used publicly available tools to dump password hashes, including ProcDump and WCE. [3]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Leviathan has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files.[1]

.002 Phishing: Spearphishing Link

Leviathan has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding.[1]

Enterprise T1021 .004 Remote Services: SSH

Leviathan used ssh for internal reconnaissance.[3]

.001 Remote Services: Remote Desktop Protocol

Leviathan has targeted RDP credentials and used it to move through the victim environment.[3]

Enterprise T1505 .003 Server Software Component: Web Shell

Leviathan relies on web shells for an initial foothold as well as persistence into the victim's systems. [3]

Enterprise T1218 .010 Signed Binary Proxy Execution: Regsvr32

Leviathan has used regsvr32 for execution.[1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Leviathan has used stolen code signing certificates to sign malware.[2][3]

Enterprise T1204 .002 User Execution: Malicious File

Leviathan has sent spearphishing attachments attempting to get a user to click.[1]

.001 User Execution: Malicious Link

Leviathan has sent spearphishing email links attempting to get a user to click.[1]

Enterprise T1078 Valid Accounts

Leviathan has used valid, compromised email accounts for defense evasion, including to send malicious emails to other victim organizations.[1]

Enterprise T1102 .003 Web Service: One-Way Communication

Leviathan has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet.[2]

Enterprise T1047 Windows Management Instrumentation

Leviathan has used WMI for execution.[1]

Software

ID Name References Techniques
S0110 at [3] Scheduled Task/Job: At (Windows)
S0190 BITSAdmin [2] BITS Jobs, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Ingress Tool Transfer, Lateral Tool Transfer
S0069 BLACKCOFFEE [2] Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal on Host: File Deletion, Multi-Stage Channels, Process Discovery, Web Service: Dead Drop Resolver, Web Service: Bidirectional Communication
S0020 China Chopper [2] Application Layer Protocol: Web Protocols, Brute Force: Password Guessing, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, File and Directory Discovery, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Network Service Scanning, Obfuscated Files or Information: Software Packing, Server Software Component: Web Shell
S0154 Cobalt Strike [1][2] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, BITS Jobs, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: JavaScript, Commonly Used Port, Create or Modify System Process: Windows Service, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Man in the Browser, Modify Registry, Multiband Communication, Native API, Network Service Scanning, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: Security Account Manager, Process Discovery, Process Injection, Process Injection: Process Hollowing, Process Injection: Dynamic-link Library Injection, Protocol Tunneling, Proxy: Internal Proxy, Query Registry, Remote Services: SMB/Windows Admin Shares, Remote Services: Windows Remote Management, Remote Services: SSH, Remote Services: Remote Desktop Protocol, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Subvert Trust Controls: Code Signing, System Network Configuration Discovery, System Network Connections Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Local Accounts, Valid Accounts: Domain Accounts, Windows Management Instrumentation
S0021 Derusbi [2] Audio Capture, Command and Scripting Interpreter: Unix Shell, Commonly Used Port, Encrypted Channel: Symmetric Cryptography, Fallback Channels, File and Directory Discovery, Indicator Removal on Host: Timestomp, Indicator Removal on Host: File Deletion, Input Capture: Keylogging, Non-Application Layer Protocol, Non-Standard Port, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Screen Capture, Signed Binary Proxy Execution: Regsvr32, System Information Discovery, System Owner/User Discovery, Video Capture
S0232 HOMEFRY [2] Command and Scripting Interpreter: Windows Command Shell, Obfuscated Files or Information, OS Credential Dumping
S0233 MURKYTOP [2] Account Discovery: Local Account, Command and Scripting Interpreter: Windows Command Shell, Indicator Removal on Host: File Deletion, Network Service Scanning, Network Share Discovery, Permission Groups Discovery, Remote System Discovery, Scheduled Task/Job: At (Windows), System Information Discovery
S0228 NanHaiShu [1] Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: JavaScript, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information, Signed Binary Proxy Execution: Mshta, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0039 Net [3] Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0229 Orz [1] Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal on Host, Ingress Tool Transfer, Obfuscated Files or Information, Process Discovery, Process Injection: Process Hollowing, Signed Binary Proxy Execution: Regsvr32, Software Discovery, System Information Discovery, System Network Configuration Discovery, Web Service: Bidirectional Communication
S0005 Windows Credential Editor [3] OS Credential Dumping: LSASS Memory

References