Leviathan Targeting Engineering and Maritime Industries

It is believed that a Chinese-linked espionage group is currently increasing its activity in targeting foreign engineering and maritime companies. This is according to a report recently published by FireEye, a well-respected cybersecurity firm known for its nation-state threat intelligence. The Chinese-linked espionage group has been called Leviathan by researchers and analyst. The group also goes by the name TEMP.Periscope and have been active for over a decade. The group has been historically interested in targets connected to the South China Sea geographical and political issues that have affected the region for China and its neighbors. These targets include research institutes, academic organizations, and private firms in the United States. Over the years the group has also shown interest in professional/consulting services, high-tech industry, healthcare, and media/publishing. Most of the identified victims were in the United States, with some located in Europe and at least one in Hong Kong.

2018 Incursions

Since the beginning of this year, FireEye has seen a sharp escalation in detected activity which can be attributed to the group. The group has a few tell-tale methods of operation which overlap with other Chinese associated groups, such as TEMP.Jumper, which in turn overlaps significantly with the NanHaiShu group.

leviathan targeting maritime industries

A similar escalation in activity was seen in the summer of 2017. Researchers refer to these overlaps in targeting and tactics as Tactics, Techniques, and Procedures (TTP) and as with the 2017 campaign the latest campaign leverages a relatively large library of malware shared with multiple other suspected Chinese groups. In this campaign these tools include:

  • AirBreak: a JavaScript-based backdoor also reported as “Orz” that retrieves commands from hidden strings in compromised web pages and actor controlled profiles on legitimate services.
  • BadFlick: a backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command and control (C2) configuration.
  • Photo: a DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.
  • HomeFry: a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AirBreak and BadFlick backdoors. Some strings are obfuscated with XOR x56. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session.
  • LunchMoney: an uploader that can exfiltrate files to Dropbox.
  • MurkyTop: a command-line reconnaissance tool. It can be used to execute files as a different user, move, and delete files locally, schedule remote AT jobs, perform host discovery on connected networks, scan for open ports on hosts in a connected network, and retrieve information about the OS, users, groups, and shares on remote hosts.
  • China Chopper: a simple code injection web shell that executes Microsoft .NET code within HTTP POST commands. This allows the shell to upload and download files, execute applications with web server account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime.

In conjunction with the extensive list of tools used by the group in the latest campaign, there have also been more than a few identifying TTP. In this campaign, the use a spear phishing campaign has been seen as well as using the CVE-2017-11882 vulnerability to drop malware once documents have been successfully lured. As well as the above mentioned TTPs this campaign has also seen the group employing stolen code signing certificates used to sign malware. Researchers at FireEye believe that the overall goal of the campaign is to hopefully gather vital information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations. These are often the pivotal goals of many a cyber espionage campaign.

Past Campaigns Attributed to the NanHaiShu Group

For most of 2015 and 2016, the NanHaiShu group was involved distributing a Remote Access Trojan (RAT). A RAT put simply is a malware program that includes a back door for administrative control over the target computer. RATs are usually downloaded invisibly with a user-requested program -- such as a game -- or sent as an email attachment. Once the host system is compromised, the intruder may use it to distribute RATs to other vulnerable computers and establish a botnet. In this case, the RAT was given the same name as the group and was discovered by researchers at F-Secure. As with the above-mentioned campaign attributed to Leviathan, whose operations overlap with NanHaiShu and TEMP.Jumper, the campaign targeted institutions in any way involved in the South China Sea.

In October 2017 hackers used China Chopper to help in stealing sensitive data about Australia's F-35 stealth fighter and P-8 surveillance aircraft programmes. The country had committed to buying 72 F-35A fighters and much of the information surrounding the fighter is regarded as highly classified. The hackers managed to steal approximately 30GB of "sensitive data" subjected to restricted access under the US government's International Traffic in Arms Regulations rules. The use of the China Chopper tool was widely been attributed by Western Governments to Chinese threat actors looking to steal industrial, corporate and military secrets. While no direct attribution to a particular group has been made regarding the hack it is assumed by many researchers and analysts that a Chinese threat actor was the perpetrator.  

It will be interesting to see in the years to come what information stolen in the above campaigns is used to get a competitive edge in negotiations between the powers that be. That is assuming the public at large ever finds out. Such intrigue most certainly helps fill the pages of both spy fiction and non-fiction novels, sometimes it, however, such information is only available generations after the event.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal