The threat actor TEMP.Periscope (FireEye) / Leviathan (Proofpoint) has been observed running targeted spear phishing campaigns against maritime and engineering targets. The threat actors appear to be tied to Chinese espionage. The TTPs of this threat actor are what are normally expected from a state sponsored level threat actor. Some of the interesting tools used include “LUNCHMONEY” (FireEye), a utility used to exfiltrate data to Dropbox, and BLACKCOFFEE (FireEye), a tool used to obfuscated data on Microsoft Technet pages as command and control.
Technical analysis of TTPs used by TEMP.Periscope – https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html
Info on spear phishing campaigns detected attributed to Leviathan. – https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets
Technical information on the BLACKCOFFEE tool. – https://www.fireeye.com/blog/threat-research/2015/05/hiding_in_plain_sigh.html
Proficio Threat Intelligence Recommendations:
- If the capability is available, ban the hashes of the IOCs identified by FireEye from running in your organization.
- Consider banning certain cloud storage, such as Dropbox, if it does not have a business case within the organization.