Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Leviathan

Leviathan is a cyber espionage group that has been active since at least 2013. The group generally targets defense and government organizations, but has also targeted a range of industries including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities in the United States, Western Europe, and along the South China Sea. [1] [2]

ID: G0065
Aliases: Leviathan, TEMP.Periscope
Contributors: Valerii Marchuk, Cybersecurity Help s.r.o.

Version: 1.0

Alias Descriptions

NameDescription
Leviathan[1]
TEMP.Periscope[2]

Techniques Used

DomainIDNameUse
EnterpriseT1009Binary PaddingLeviathan has inserted garbage characters into code, presumably to avoid anti-virus detection.[1]
EnterpriseT1197BITS JobsLeviathan has used bitsadmin.exe to download additional tools.[2]
EnterpriseT1116Code SigningLeviathan has used stolen code signing certificates used to sign malware.[2]
EnterpriseT1059Command-Line InterfaceLeviathan uses a backdoor known as BADFLICK that is is capable of generating a reverse shell.[2]
EnterpriseT1074Data StagedLeviathan has used C:\Windows\Debug and C:\Perflogs as staging directories.[2]
EnterpriseT1140Deobfuscate/Decode Files or InformationLeviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.[1]
EnterpriseT1203Exploitation for Client ExecutionLeviathan has exploited multiple Microsoft Office and .NET vulnerabilities for execution, including CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882.[1][2]
EnterpriseT1027Obfuscated Files or InformationLeviathan has obfuscated code using base64 and gzip compression.[1]
EnterpriseT1086PowerShellLeviathan has used PowerShell for execution.[1][2]
EnterpriseT1060Registry Run Keys / Startup FolderLeviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.[1][2]
EnterpriseT1117Regsvr32Leviathan has used regsvr32 for execution.[1]
EnterpriseT1105Remote File CopyLeviathan has downloaded additional scripts and files from adversary-controlled servers. Leviathan has also used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.[1][2]
EnterpriseT1064ScriptingLeviathan has used multiple types of scripting for execution, including JavaScript, JavaScript Scriptlets in XML, and VBScript.[1]
EnterpriseT1023Shortcut ModificationLeviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.[1][2]
EnterpriseT1193Spearphishing AttachmentLeviathan has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files.[1]
EnterpriseT1192Spearphishing LinkLeviathan has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding.[1]
EnterpriseT1204User ExecutionLeviathan has sent spearphishing emails links and attachments attempting to get a user to click.[1]
EnterpriseT1078Valid AccountsLeviathan has used valid, compromised email accounts for defense evasion, including to send malicious emails to other victim organizations.[1]
EnterpriseT1102Web ServiceLeviathan has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet.[2]
EnterpriseT1047Windows Management InstrumentationLeviathan has used WMI for execution.[1]
EnterpriseT1084Windows Management Instrumentation Event SubscriptionLeviathan has used WMI for persistence.[2]

Software

IDNameTechniques
S0190BITSAdminExfiltration Over Alternative Protocol, Remote File Copy
S0069BLACKCOFFEECommand-Line Interface, File and Directory Discovery, File Deletion, Multi-Stage Channels, Process Discovery, Web Service
S0020China ChopperCommand-Line Interface, File and Directory Discovery, Remote File Copy, Standard Application Layer Protocol, Web Shell
S0154Cobalt StrikeAccess Token Manipulation, BITS Jobs, Bypass User Account Control, Command-Line Interface, Commonly Used Port, Connection Proxy, Credential Dumping, Custom Command and Control Protocol, Data from Local System, Distributed Component Object Model, Execution through API, Exploitation for Privilege Escalation, Indicator Removal from Tools, Input Capture, Man in the Browser, Multiband Communication, Network Service Scanning, Network Share Discovery, New Service, Pass the Hash, PowerShell, Process Discovery, Process Hollowing, Process Injection, Remote Desktop Protocol, Remote Services, Remote System Discovery, Scheduled Transfer, Screen Capture, Scripting, Service Execution, Standard Application Layer Protocol, Timestomp, Valid Accounts, Windows Admin Shares, Windows Management Instrumentation, Windows Remote Management
S0021DerusbiAudio Capture, Command-Line Interface, Commonly Used Port, Custom Command and Control Protocol, Custom Cryptographic Protocol, Fallback Channels, File and Directory Discovery, File Deletion, Input Capture, Process Discovery, Process Injection, Query Registry, Regsvr32, Screen Capture, Standard Non-Application Layer Protocol, System Information Discovery, System Owner/User Discovery, Timestomp, Video Capture
S0232HOMEFRYCommand-Line Interface, Credential Dumping, Obfuscated Files or Information
S0233MURKYTOPAccount Discovery, Command-Line Interface, File Deletion, Network Service Scanning, Network Share Discovery, Permission Groups Discovery, Remote System Discovery, Scheduled Task, System Information Discovery
S0228NanHaiShuDisabling Security Tools, File Deletion, Mshta, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Remote File Copy, Scripting, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0229OrzCommand-Line Interface, File and Directory Discovery, Indicator Removal on Host, Obfuscated Files or Information, Process Discovery, Process Hollowing, Regsvr32, Remote File Copy, Scripting, System Information Discovery, System Network Configuration Discovery, Web Service

References