Skip to content

G0065 Leviathan

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security’s (MSS) Hainan State Security Department and an affiliated front company.5 Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia.536

Item Value
ID G0065
Associated Names MUDCARP, Kryptonite Panda, Gadolinium, BRONZE MOHAWK, TEMP.Jumper, APT40, TEMP.Periscope
Version 3.0
Created 18 April 2018
Last Modified 15 April 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
MUDCARP 51
Kryptonite Panda 52
Gadolinium 54
BRONZE MOHAWK 58
TEMP.Jumper Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.57
APT40 FireEye reporting on TEMP.Periscope (which was combined into APT40) indicated TEMP.Periscope was reported upon as Leviathan.5367
TEMP.Periscope Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.567

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains Leviathan has established domains that impersonate legitimate entities to use for targeting efforts. 51
enterprise T1560 Archive Collected Data Leviathan has archived victim’s data prior to exfiltration.5
enterprise T1197 BITS Jobs Leviathan has used BITSAdmin to download additional tools.6
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.36
enterprise T1547.009 Shortcut Modification Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.36
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Leviathan has used PowerShell for execution.3651
enterprise T1059.005 Visual Basic Leviathan has used VBScript.3
enterprise T1586 Compromise Accounts -
enterprise T1586.001 Social Media Accounts Leviathan has compromised social media accounts to conduct social engineering attacks.5
enterprise T1586.002 Email Accounts Leviathan has compromised email accounts to conduct social engineering attacks.5
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Leviathan has used C:\Windows\Debug and C:\Perflogs as staging directories.65
enterprise T1074.002 Remote Data Staging Leviathan has staged data remotely prior to exfiltration.5
enterprise T1140 Deobfuscate/Decode Files or Information Leviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.3
enterprise T1189 Drive-by Compromise Leviathan has infected victims using watering holes.5
enterprise T1585 Establish Accounts -
enterprise T1585.001 Social Media Accounts Leviathan has created new social media accounts for targeting efforts.5
enterprise T1585.002 Email Accounts Leviathan has created new email accounts for targeting efforts.5
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription Leviathan has used WMI for persistence.6
enterprise T1041 Exfiltration Over C2 Channel Leviathan has exfiltrated data over its C2 channel.5
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.36
enterprise T1203 Exploitation for Client Execution Leviathan has exploited multiple Microsoft Office and .NET vulnerabilities for execution, including CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882.3651
enterprise T1133 External Remote Services Leviathan has used external remote services such as virtual private networks (VPN) to gain initial access.5
enterprise T1589 Gather Victim Identity Information -
enterprise T1589.001 Credentials Leviathan has collected compromised credentials to use for targeting efforts.5
enterprise T1105 Ingress Tool Transfer Leviathan has downloaded additional scripts and files from adversary-controlled servers.36
enterprise T1559 Inter-Process Communication -
enterprise T1559.002 Dynamic Data Exchange Leviathan has utilized OLE as a method to insert malicious content inside various phishing documents. 1
enterprise T1534 Internal Spearphishing Leviathan has conducted internal spearphishing within the victim’s environment for lateral movement.5
enterprise T1027 Obfuscated Files or Information Leviathan has obfuscated code using base64 and gzip compression.3
enterprise T1027.001 Binary Padding Leviathan has inserted garbage characters into code, presumably to avoid anti-virus detection.3
enterprise T1027.003 Steganography Leviathan has used steganography to hide stolen data inside other files stored on Github.5
enterprise T1003 OS Credential Dumping Leviathan has used publicly available tools to dump password hashes, including HOMEFRY.7
enterprise T1003.001 LSASS Memory Leviathan has used publicly available tools to dump password hashes, including ProcDump and WCE.7
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Leviathan has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files.35
enterprise T1566.002 Spearphishing Link Leviathan has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding.35
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Leviathan has utilized techniques like reflective DLL loading to write a DLL into memory and load a shell that provides backdoor access to the victim.1
enterprise T1572 Protocol Tunneling Leviathan has used protocol tunneling to further conceal C2 communications and infrastructure.5
enterprise T1090 Proxy -
enterprise T1090.003 Multi-hop Proxy Leviathan has used multi-hop proxies to disguise the source of their malicious traffic.5
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Leviathan has targeted RDP credentials and used it to move through the victim environment.7
enterprise T1021.004 SSH Leviathan used ssh for internal reconnaissance.7
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell Leviathan relies on web shells for an initial foothold as well as persistence into the victim’s systems.75
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Leviathan has used stolen code signing certificates to sign malware.67
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.010 Regsvr32 Leviathan has used regsvr32 for execution.3
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Leviathan has sent spearphishing email links attempting to get a user to click.35
enterprise T1204.002 Malicious File Leviathan has sent spearphishing attachments attempting to get a user to click.35
enterprise T1078 Valid Accounts Leviathan has obtained valid accounts to gain initial access.51
enterprise T1102 Web Service -
enterprise T1102.003 One-Way Communication Leviathan has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet.6
enterprise T1047 Windows Management Instrumentation Leviathan has used WMI for execution.3

Software

ID Name References Techniques
S0110 at 7 At:Scheduled Task/Job
S0642 BADFLICK 61 Archive via Library:Archive Collected Data Data from Local System Deobfuscate/Decode Files or Information File and Directory Discovery Ingress Tool Transfer Spearphishing Attachment:Phishing System Information Discovery System Network Configuration Discovery Malicious File:User Execution Time Based Evasion:Virtualization/Sandbox Evasion
S0190 BITSAdmin 6 BITS Jobs Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Lateral Tool Transfer
S0069 BLACKCOFFEE 6 Windows Command Shell:Command and Scripting Interpreter File and Directory Discovery File Deletion:Indicator Removal Multi-Stage Channels Process Discovery Dead Drop Resolver:Web Service Bidirectional Communication:Web Service
S0020 China Chopper 651 Web Protocols:Application Layer Protocol Password Guessing:Brute Force Windows Command Shell:Command and Scripting Interpreter Data from Local System File and Directory Discovery Timestomp:Indicator Removal Ingress Tool Transfer Network Service Discovery Software Packing:Obfuscated Files or Information Web Shell:Server Software Component
S0154 Cobalt Strike 365 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Domain Account:Account Discovery Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Application Layer Protocol BITS Jobs Browser Session Hijacking Visual Basic:Command and Scripting Interpreter Python:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Process Hollowing:Process Injection Process Injection Dynamic-link Library Injection:Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services SSH:Remote Services Remote Desktop Protocol:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0021 Derusbi 65 Audio Capture Unix Shell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel Fallback Channels File and Directory Discovery File Deletion:Indicator Removal Timestomp:Indicator Removal Keylogging:Input Capture Non-Application Layer Protocol Non-Standard Port Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Screen Capture Regsvr32:System Binary Proxy Execution System Information Discovery System Owner/User Discovery Video Capture
S0363 Empire 5 Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation SID-History Injection:Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Command and Scripting Interpreter Domain Account:Create Account Local Account:Create Account Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Code Repository:Exfiltration Over Web Service Exfiltration to Cloud Storage:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Search Order Hijacking:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0032 gh0st RAT 5 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Fast Flux DNS:Dynamic Resolution Symmetric Cryptography:Encrypted Channel Encrypted Channel DLL Side-Loading:Hijack Execution Flow Clear Windows Event Logs:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Application Layer Protocol Process Discovery Process Injection Query Registry Screen Capture Shared Modules Rundll32:System Binary Proxy Execution System Information Discovery Service Execution:System Services
S0232 HOMEFRY 6 Windows Command Shell:Command and Scripting Interpreter Obfuscated Files or Information OS Credential Dumping
S0233 MURKYTOP 65 Local Account:Account Discovery Windows Command Shell:Command and Scripting Interpreter File Deletion:Indicator Removal Network Service Discovery Network Share Discovery Permission Groups Discovery Remote System Discovery At:Scheduled Task/Job System Information Discovery
S0228 NanHaiShu 35 DNS:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Visual Basic:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter Disable or Modify Tools:Impair Defenses File Deletion:Indicator Removal Ingress Tool Transfer Obfuscated Files or Information Mshta:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Owner/User Discovery
S0039 Net 7 Domain Account:Account Discovery Local Account:Account Discovery Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0229 Orz 351 Windows Command Shell:Command and Scripting Interpreter File and Directory Discovery Indicator Removal Ingress Tool Transfer Modify Registry Obfuscated Files or Information Process Discovery Process Hollowing:Process Injection Software Discovery Regsvr32:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery Bidirectional Communication:Web Service
S0194 PowerSploit 5 Access Token Manipulation Local Account:Account Discovery Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Windows Credential Manager:Credentials from Password Stores Data from Local System Domain Trust Discovery DLL Search Order Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Keylogging:Input Capture Indicator Removal from Tools:Obfuscated Files or Information Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Reflective Code Loading Scheduled Task:Scheduled Task/Job Screen Capture Kerberoasting:Steal or Forge Kerberos Tickets Credentials in Registry:Unsecured Credentials Group Policy Preferences:Unsecured Credentials Windows Management Instrumentation
S0183 Tor 5 Asymmetric Cryptography:Encrypted Channel Multi-hop Proxy:Proxy
S0005 Windows Credential Editor 7 LSASS Memory:OS Credential Dumping

References

  1. Accenture iDefense Unit. (2019, March 5). Mudcarp’s Focus on Submarine Technologies. Retrieved August 24, 2021. 

  2. Adam Kozy. (2018, August 30). Two Birds, One Stone Panda. Retrieved August 24, 2021. 

  3. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. 

  4. Ben Koehl, Joe Hannon. (2020, September 24). Microsoft Security - Detecting Empires in the Cloud. Retrieved August 24, 2021. 

  5. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021. 

  6. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. 

  7. Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019. 

  8. SecureWorks. (n.d.). Threat Profile - BRONZE MOHAWK. Retrieved August 24, 2021.