Attacker: Actor – TEMP.Periscope / Leviathan

The threat actor TEMP.Periscope (FireEye) / Leviathan (Proofpoint) has been observed running targeted spear phishing campaigns against maritime and engineering targets. The threat actors appear to be tied to Chinese espionage. The TTPs of this threat actor are what are normally expected from a state sponsored level threat actor. Some of the interesting tools used include “LUNCHMONEY” (FireEye), a utility used to exfiltrate data to Dropbox, and BLACKCOFFEE (FireEye), a tool used to obfuscated data on Microsoft Technet pages as command and control.

Technical analysis of TTPs used by TEMP.Periscope – https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

Info on spear phishing campaigns detected attributed to Leviathan. – https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets

Proficio Threat Intelligence Recommendations:

  • If the capability is available, ban the hashes of the IOCs identified by FireEye from running in your organization.
  • Consider banning certain cloud storage, such as Dropbox, if it does not have a business case within the organization.

Recent Blog Posts

Stay Ahead of Evolving Threats

Sign up for our free newsletter and receive invaluable threat notifications from our Threat Intelligence team.

By submitting this form, you agree to the Proficio Website Terms of Use and the Proficio Privacy Policy.

REQUEST A DEMO

Experience Tomorrow’s
Security Today

Request a Demo and Experience Proficio's
Innovative Solutions in Action.

By submitting this form, you agree to the Proficio Website Terms of Use and the Proficio Privacy Policy.