The China-linked APT group Leviathan. aka TEMP.Periscope, has increased the attacks on engineering and maritime entities over the past months.

Past attacks conducted by the group aimed at targets connected to South China Sea issues, most of them were research institutes, academic organizations, and private firms in the United States.

The group has also targeted professional/consulting services, high-tech industry, healthcare, and media/publishing. Most of the identified victims were in the United States, some of them located in Europe and at least one in Hong Kong.

“The campaign is linked to a group of suspected Chinese cyber espionage actors we have tracked since 2013, dubbed TEMP.Periscope. The group has also been reported as “Leviathan” by other security firms.” reads the analysis published by security firm FireEye.

“The current campaign is a sharp escalation of detected activity since summer 2017. Like multiple other Chinese cyber espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit.”

The researchers confirmed that the tactics, techniques, and procedures (TTPs) and the targets of the TEMP.Periscope overlap with ones both TEMP.Jumper and NanHaiShu APT groups.

Researchers at FireEye observed a spike in the activity of TEMP.Periscope that was also associated with the use of a broad range of tools commonly used by other Chinese threat actors.

The arsenal of the crew includes backdoors, reconnaissance tools, webshells, and file stealers.

A first backdoor dubbed BADFLICK, could be used to modify the file system of the infected system, establish a reverse shell, and modifying the command-and-control configuration.

Another backdoor used by the group is dubbed Airbreak, which is a JavaScript-based backdoor (aks “Orz”) that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services.

Other malware is described in the post published by FireEye.

“PHOTO: a DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.” continues the analysis.

“HOMEFRY: a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56.”

The crews also used the Lunchmoney tool that exfiltrates files to Dropbox and the Murkytop command-line reconnaissance tool.

Recently the group used the China Chopper, a code injection webshell that executes Microsoft .NET code within HTTP POST commands.

The group targeted victims with spear-phishing messaged that use weaponized documents attempting to exploit the CVE-2017-11882 vulnerability to deliver malicious code.

“The current wave of identified intrusions is consistent with TEMP.Periscope and likely reflects a concerted effort to target sectors that may yield information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations,” FireEye concludes.

Further details, including the Indicators of Compromise are reported in the analysis published by FireEye.

Pierluigi Paganini

(Security Affairs – TEMP.Periscope, APT)

Share this...

Linkedin Reddit Pinterest

Share On