Leviathan  (Back to overview)

aka: TEMP.Periscope, TEMP.Jumper, APT 40, APT40, BRONZE MOHAWK, GADOLINIUM

Leviathan is an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe.


Associated Families
js.nanhaishu win.badflick win.blackcoffee win.cobalt_strike win.derusbi win.grillmark win.homefry win.lunchmoney win.murkytop win.sedll win.plugx win.chinachopper js.scanbox win.ghost_rat js.airbreak win.zxshell

References
1 http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html
1 http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html
1 http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html
1 http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html
1 http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems
1 http://cyberforensicator.com/2018/12/23/dissecting-cozy-bears-malicious-lnk-file/
1 http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf
1 http://malware-log.hatenablog.com/entry/2015/05/18/000000_1
1 http://resources.infosecinstitute.com/scanbox-framework/
1 http://www.hexblog.com/?p=1248
1 http://www.kahusecurity.com/posts/reflow_javascript_backdoor.html
1 http://www.malware-traffic-analysis.net/2018/01/04/index.html
1 http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf
1 https://401trg.com/burning-umbrella/
https://attack.mitre.org/groups/G0065/
1 https://attack.mitre.org/software/S0020/
1 https://attack.mitre.org/software/S0069/
1 https://attack.mitre.org/software/S0228/
1 https://blog.amossys.fr/badflick-is-not-so-bad.html
1 https://blog.cobaltstrike.com/
1 https://blog.cylance.com/the-ghost-dragon
1 https://blog.ensilo.com/uncovering-new-activity-by-apt10
1 https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/
1 https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html
1 https://blog.talosintelligence.com/2019/09/panda-evolution.html
1 https://blogs.cisco.com/security/talos/opening-zxshell
1 https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html
1 https://blogs.rsa.com/cat-phishing/
1 https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf
1 https://community.rsa.com/thread/185439
1 https://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering
1 https://content.fireeye.com/apt-41/rpt-apt41
1 https://content.fireeye.com/m-trends/rpt-m-trends-2019
1 https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/
1 https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/
1 https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py
1 https://github.com/smb01/zxshell
2 https://go.crowdstrike.com/rs/281-obq-266/images/reportglobalthreatintelligence.pdf
1 https://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html
1 https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/
1 https://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html
1 https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A
1 https://pylos.co/2018/11/18/cozybear-in-from-the-cold/
1 https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/
1 https://securelist.com/time-of-death-connected-medicine/84315/
1 https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/
1 https://twitter.com/MrDanPerez/status/1097881406661902337
1 https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
1 https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
1 https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf
1 https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
https://www.cfr.org/interactive/cyber-operations/leviathan
1 https://www.cobaltstrike.com/support
1 https://www.contextis.com/de/blog/avivore
1 https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf
1 https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
1 https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html
1 https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
6 https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html
1 https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html
1 https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
1 https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html
1 https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html
1 https://www.intezer.com/blog-chinaz-relations/
1 https://www.lac.co.jp/lacwatch/people/20171218_001445.html
1 https://www.lac.co.jp/lacwatch/people/20180521_001638.html
1 https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/
1 https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/
1 https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
2 https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets
1 https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new
1 https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
1 https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/
1 https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf
2 https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox
1 https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf
1 https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks
1 https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/
1 https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf
1 https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf
1 https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/
1 https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf

Credits: MISP Project