Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

China-linked Hackers Target Engineering and Maritime Industries

A China-related cyberespionage group that has been active for half a decade has increased its attacks on engineering and maritime entities over the past months, FireEye reports.

A China-related cyberespionage group that has been active for half a decade has increased its attacks on engineering and maritime entities over the past months, FireEye reports.

Referred to as Leviathan or TEMP.Periscope, the group has been historically interested in targets connected to South China Sea issues, which hasn’t changed in the recently observed attacks. Targets include research institutes, academic organizations, and private firms in the United States.

“The current campaign is a sharp escalation of detected activity since summer 2017. Like multiple other Chinese cyber espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit,” FireEye says.

Over the years, the group has also shown interest in professional/consulting services, high-tech industry, healthcare, and media/publishing. Most of the identified victims were in the United States, with some located in Europe and at least one in Hong Kong.

The group’s tactics, techniques, and procedures (TTPs), as well as its targets, overlap with those associated with the group called TEMP.Jumper, which in turn overlaps significantly with the NanHaiShu group.

The recently observed spike in activity also revealed the use of a broad range of malware that other suspected Chinese groups also use. These tools include backdoors, reconnaissance tools, file stealers, and webshells.

The first of the backdoors is Airbreak, a JavaScript-based tool that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services.

A second backdoor is Badflick, which can modify the file system, gene
rate a reverse shell, and modify its command and control (C&C) configuration.

Another similar piece of malware is Photo, a DLL backdoor that gets directory, file, and drive listing; creates a reverse shell; records the screen, video, and audio; lists, terminates, and creates processes; creates and modifies registry keys and values; logs keystrokes, returns usernames and passwords from protected storage; and can read, create, and modify files.

The group also used Homefry, a 64-bit Windows password dumper/cracker previously used along with the first two backdoors. Based on received commands, it can either display cleartext credentials for each login session, or can display cleartext credentials, NTLM hashes, and malware version for each login session.

Other tools employed by the hackers include Lunchmoney (which can exfiltrate files to Dropbox) and Murkytop, a command-line reconnaissance tool (which can execute files; move and delete files; schedule remote AT jobs; perform host discovery; scan for open ports in a connected network; and retrieve information about the operating system, users, groups, and shares on remote hosts).

In recent attacks, the group was also observed employing the China Chopper code injection webshell capable of executing Microsoft .NET code within HTTP POST commands (thus, it can upload and download files, execute applications, list directory contents, access Active Directory, access databases, and more).

Previously, the group used the Beacon backdoor (commercially available as part of the Cobalt Strike software platform), and the Blackcoffee backdoor that hides C&C communication as traffic to legitimate websites such as Github and Microsoft’s Technet portal.

The group has been also observed using spear phishing emails; lure documents attempting to exploit CVE-2017-11882 to drop malware; stolen code signing certificates to sign their malware; bitsadmin.exe and PowerShell to download additional tools; and Windows Management Instrumentation (WMI) and Windows Shortcut files (.lnk) for persistence.

“The current wave of identified intrusions is consistent with TEMP.Periscope and likely reflects a concerted effort to target sectors that may yield information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations,” FireEye concludes.

Related: Cyber Espionage Targets Interests in South China Sea

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Cybercrime

Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.