S0228 NanHaiShu
NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to target government and private-sector organizations that have relations to the South China Sea dispute. 1 2
| Item | Value |
|---|---|
| ID | S0228 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 18 April 2018 |
| Last Modified | 23 June 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.004 | DNS | NanHaiShu uses DNS for the C2 communications.2 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | NanHaiShu modifies the %regrun% Registry to point itself to an autostart mechanism.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.005 | Visual Basic | NanHaiShu executes additional VBScript code on the victim’s machine.2 |
| enterprise | T1059.007 | JavaScript | NanHaiShu executes additional Jscript code on the victim’s machine.2 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | NanHaiShu can change Internet Explorer settings to reduce warnings about malware activity.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | NanHaiShu launches a script to delete their original decoy file to cover tracks.2 |
| enterprise | T1105 | Ingress Tool Transfer | NanHaiShu can download additional files from URLs.1 |
| enterprise | T1027 | Obfuscated Files or Information | NanHaiShu encodes files in Base64.2 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.005 | Mshta | NanHaiShu uses mshta.exe to load its program and files.2 |
| enterprise | T1082 | System Information Discovery | NanHaiShu can gather the victim computer name and serial number.1 |
| enterprise | T1016 | System Network Configuration Discovery | NanHaiShu can gather information about the victim proxy server.1 |
| enterprise | T1033 | System Owner/User Discovery | NanHaiShu collects the username from the victim.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0065 | Leviathan | 13 |
References
-
Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. ↩↩↩↩↩↩
-
F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018. ↩↩↩↩↩↩↩↩↩
-
CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021. ↩