Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

China-linked Hackers Target Engineering and Maritime Industries

A China-related cyberespionage group that has been active for half a decade has increased its attacks on engineering and maritime entities over the past months, FireEye reports.

A China-related cyberespionage group that has been active for half a decade has increased its attacks on engineering and maritime entities over the past months, FireEye reports.

Referred to as Leviathan or TEMP.Periscope, the group has been historically interested in targets connected to South China Sea issues, which hasn’t changed in the recently observed attacks. Targets include research institutes, academic organizations, and private firms in the United States.

“The current campaign is a sharp escalation of detected activity since summer 2017. Like multiple other Chinese cyber espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit,” FireEye says.

Over the years, the group has also shown interest in professional/consulting services, high-tech industry, healthcare, and media/publishing. Most of the identified victims were in the United States, with some located in Europe and at least one in Hong Kong.

The group’s tactics, techniques, and procedures (TTPs), as well as its targets, overlap with those associated with the group called TEMP.Jumper, which in turn overlaps significantly with the NanHaiShu group.

The recently observed spike in activity also revealed the use of a broad range of malware that other suspected Chinese groups also use. These tools include backdoors, reconnaissance tools, file stealers, and webshells.

The first of the backdoors is Airbreak, a JavaScript-based tool that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services.

A second backdoor is Badflick, which can modify the file system, gene
rate a reverse shell, and modify its command and control (C&C) configuration.

Advertisement. Scroll to continue reading.

Another similar piece of malware is Photo, a DLL backdoor that gets directory, file, and drive listing; creates a reverse shell; records the screen, video, and audio; lists, terminates, and creates processes; creates and modifies registry keys and values; logs keystrokes, returns usernames and passwords from protected storage; and can read, create, and modify files.

The group also used Homefry, a 64-bit Windows password dumper/cracker previously used along with the first two backdoors. Based on received commands, it can either display cleartext credentials for each login session, or can display cleartext credentials, NTLM hashes, and malware version for each login session.

Other tools employed by the hackers include Lunchmoney (which can exfiltrate files to Dropbox) and Murkytop, a command-line reconnaissance tool (which can execute files; move and delete files; schedule remote AT jobs; perform host discovery; scan for open ports in a connected network; and retrieve information about the operating system, users, groups, and shares on remote hosts).

In recent attacks, the group was also observed employing the China Chopper code injection webshell capable of executing Microsoft .NET code within HTTP POST commands (thus, it can upload and download files, execute applications, list directory contents, access Active Directory, access databases, and more).

Previously, the group used the Beacon backdoor (commercially available as part of the Cobalt Strike software platform), and the Blackcoffee backdoor that hides C&C communication as traffic to legitimate websites such as Github and Microsoft’s Technet portal.

The group has been also observed using spear phishing emails; lure documents attempting to exploit CVE-2017-11882 to drop malware; stolen code signing certificates to sign their malware; bitsadmin.exe and PowerShell to download additional tools; and Windows Management Instrumentation (WMI) and Windows Shortcut files (.lnk) for persistence.

“The current wave of identified intrusions is consistent with TEMP.Periscope and likely reflects a concerted effort to target sectors that may yield information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations,” FireEye concludes.

Related: Cyber Espionage Targets Interests in South China Sea

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.