Container ship docked with plane flying overhead

Attacker: Actor – TEMP.Periscope / Leviathan

The threat actor TEMP.Periscope (FireEye) / Leviathan (Proofpoint) has been observed running targeted spear phishing campaigns against maritime and engineering targets. The threat actors appear to be tied to Chinese espionage. The TTPs of this threat actor are what are normally expected from a state sponsored level threat actor. Some of the interesting tools used include “LUNCHMONEY” (FireEye), a utility used to exfiltrate data to Dropbox, and BLACKCOFFEE (FireEye), a tool used to obfuscated data on Microsoft Technet pages as command and control.

Technical analysis of TTPs used by TEMP.Periscope –

Info on spear phishing campaigns detected attributed to Leviathan. –

Technical information on the BLACKCOFFEE tool. –

Proficio Threat Intelligence Recommendations:

  • If the capability is available, ban the hashes of the IOCs identified by FireEye from running in your organization.
  • Consider banning certain cloud storage, such as Dropbox, if it does not have a business case within the organization.
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *