# Leviathan: Espionage actor spearphishes maritime and defense targets

[proofpoint.com/us/threat‑insight/post/leviathan‑espionage‑actor‑spearphishes‑maritime‑and‑defense‑targets](https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets)

October 17, 2017

Overview

Proofpoint researchers are tracking an espionage actor targeting organizations and high‑value targets in
defense and government. Active since at least 2014, this actor has long‑standing interest in maritime industries,
naval defense contractors, and associated research institutions in the United States and Western Europe.

Key takeaways from this research include:

Industry targeting: The actor targets defense contractors, universities (particularly those with military
research ties), legal organizations [3] and government agencies [3]. The actor has particular interest in
naval industries including shipbuilding and related research
Geographical targeting: Targeting includes United States, Western Europe, and South China Sea
Tools: Custom JavaScript [malware known as “Orz” and “NanHaiShu”, Cobalt Strike, the SeDll JavaScript](https://www.proofpoint.com/us/threat-reference/malware)
loader, and MockDll dll loader
Delivery: Emailed attachments and URLs, often employing a fraudulent lookalike domain and stolen
branding
Exploitation: Microsoft Excel and Word documents with macros (sometimes password‑protected), very
recent vulnerabilities such as [CVE‑2017‑0199 and](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0199) [CVE‑2017‑8759, and malicious Microsoft Publisher](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8759)
files
Installation: JavaScript, JavaScript Scriptlets in XML, HTA, PowerShell, WMI, regsvr32, Squiblydoo
Lateral Movement: The actor sometimes utilizes access at one compromised organization to attack the
next. For example, compromised email accounts at one organization were used to send the next wave of
malicious attachments to potential victims in the same industry. Similarly the actor attempts to
compromise servers within victim organizations and use them for command and control (C&C) for their
malware.

This blog traces key activities connected to this actor and examines a number of their tools and techniques.
Campaigns and details are presented in reverse chronological order to highlight the group’s most recent
activities.

Delivery and Exploitation

September 2017

On September 15 and 19, 2017, Proofpoint detected and blocked [spearphishing emails from this group targeting](https://www.proofpoint.com/us/threat-reference/spear-phishing)
a US shipbuilding company and a US university research center with military ties. Example emails used the
subject “Apply for internship position” and contained an attachment “resume.rtf”. Another attachment,
“ARLUAS_FieldLog_2017‑08‑21.doc” contained a “Torpedo recovery experiment” lure. The attachments
exploited CVE 2017 8759 which was discovered and documented only five days prior to the campaign [1]


-----

Figure 1: Example attachment resume.rtf from September 2017 campaign

August 2017

Between August 2 and 4, the actor sent targeted spearphishing emails containing malicious URLs linking to
documents to multiple defense contractors. Some of this activity was documented and observed by a fellow
researcher [2]. Many of the documents, C&C domains, and payload domains abused the brand of a major
provider of ships, submarines, and other vessels with military applications. Some of the documents exploited
CVE‑2017‑0199 to deliver the payload.

Figure 2: One of the documents involved in the campaign used Microsoft licensing lures purporting to be
from a well‑known shipbuilder (sha256:
6f6ee01e9dc2d8c4c260ef4131fe88dc152e53ee8afd3e66e92d4e1bf5fd2e92).

Other documents were Microsoft Publisher files that relied on social engineering. The potential victims were
lured into starting an embedded PowerPoint presentation, moving the mouse to trigger execution of an
embedded JavaScript [5], and then pressing “Enable” in a warning dialog to cause the payload download. The
Publisher files were poorly crafted, relied on multiple user interactions, and contained multiple grammatical and
typographic errors.


-----

Figure 3: Publisher document delivered via a link in email is in Italian, and is a simple reuse of a
student’swork.

February 2015

From February to October of 2015, our colleagues at F‑Secure and McAfee reported on campaigns [3][4] by this
actor targeting South China Sea interests. During this time, the group utilized Microsoft Excel and Word
documents with macros to target the Philippines Department of Justice, APEC organizers, and an international
law firm. Targeting of these companies is different from that which we typically observe for this actor; however it
still centers around marine and naval issues as related to South China sea politics.

Figure 4: Example attachment “DOJ Staff bonus January 13, 2015.xls”. Similar to this document attachment,
most of the attachments in this campaign did not contain meaningful content

November 2014

The period between November 2014 and January 2015 marked one of the earlier instances in which Proofpoint
observed persistent exploitation attempts by this actor. The actor generally emailed Microsoft Excel documents
with malicious macros to US universities with military interests, most frequently related to the Navy. The actor
also occasionally used macro‑laden Microsoft Word documents to target other US research and development
organizations with military and intelligence ties during this period.

Emails were often very simple with a greeting and an attachment. On other occasions, it appears that the
attackers used highly topical lures based on current events or legitimate documents stolen from previous
victims. Lure topics included symposia, the Navy, IT, and relevant research.


-----

Figure 5: Example Excel attachment “2014 Accomplishments Input Template.xls”

Installation

The actor continues to:

Innovate and modify the code that accomplishes the installation, while the backdoor code remains more
static
Use scripting languages such as JavaScript, JavaScript Scriptlets, VBScript, and XML
Use simple obfuscation such as base64, gzip compression, and insertion of garbage characters
Split functionality of the backdoor & code that establishes persistence for the backdoor into separate files
and scripts

Example 1: Resume.rtf

The “resume.rtf” file from the September 19, 2017 attack retrieves the malicious SOAP WSDL definition named
“readme.txt “ using an anonymous FTP logon to the attacker’s server.

Figure 6: SOAP WSDL definition (“readme.txt “)

This definition in turn downloads a VBScript favicon.ico file, which then creates and runs two JavaScript files in
the %TMP% directory:


-----

The job of the smaller of the two JavaScripts is to establish a system autostart mechanism. It accomplishes this
by deobfuscating another script, link.js, into %TMP%. Link.js in turn creates a shortcut file "Java(TM) Platform
SE Auto Updater.lnk" in the "Startup" special folder pointing to the main backdoor JavaScript.

Figure 8: Code for establishing persistence after reboot (autostart mechanism)

The job of the larger of the two JavaScripts is to download and execute the Cobalt Strike payload. It
accomplishes this by writing more code to rWug5n0PHUFjDFyb8k.js in the temporary directory, which then runs
a PowerShell command (obfuscated using garbage characters, base64 encoding, and Gzip compression). The
PowerShell is a default Cobalt Strike downloader.

Figure 9: PowerShell code downloading Cobalt Strike

Example 2: Malicious Microsoft Publisher document

The malicious script executed by the Microsoft Publisher file downloads and runs yet another JavaScript file,
0.js, hosted on the attacker‑controlled server:

Figure 10: Malicious script executed by the Microsoft Publisher file (sha256:
305f331bfb1e97028f8c92cbcb1dff2741dcddacc76843e65f9b1ec5a66f52bc)


-----

Similar to the previous example (resume.rtf), the 0.js handles the system autostart mechanism via a shortcut file
"office 365.lnk" in the "Startup" special folder. However, the shortcut abuses the “Squiblydoo” technique [6].
Moreover, the backdoor is not run directly but via an intermediary SeDll (see below).

0.js also downloads two additional files from the C&C server (green.ddd and green.tmp) The first of these files,
green.ddd, is an executable file internally named “SEDll_Win32.dll”. This is a known backdoor used by this actor
since 2014 for the same purpose: decrypting and executing the final JavaScript backdoor “Orz”.

Tools

NanHaiShu

We have observed variants of this JavaScript backdoor used in various campaigns, including those publically
reported. The actor continues to improve and refine the malware by, for example, wrapping it inside an HTA
wrapper. Several good descriptions are available in analyses from fellow researchers [3][4]. Basic functionality
includes:

Information gathering (computer name, user name, serial number, proxy server)
Downloading from URL
Executing other JavaScript
Registry, system, process, directory, file operations
SafeIE (change IE settings to reduce warnings about about malware activity)

Figure 11: Screenshot from 2015 version of the malware dropped by “DOJ Staff bonus January 13, 2015.xls”

Orz

We observed this backdoor in an August 2017 campaign dropped by the Microsoft Publisher files, as well as
much earlier in 2014. We named it due to a variable name “orz”, which is changed to “core” in the more recent
version. The actor consistently tweaks and improves this backdoor as well. The backdoor is a fairly involved
script malware. Its functionality includes:

Information gathering (IE version, OS version, OS 64‑bit/32‑bit, etc)
Overwriting registry settings to reduce malware visibility on system
Download file
Upload file
Execute a command with cscript
Execute JavaScript
Execute shell command
Execute a dll (via an embedded ‘MockDll')
Get proxy info
G t li t


-----

GET request to a URL
POST request to a URL

Figure 12: Snippet of the Orz backdoor code delivered by the the Microsoft Publisher document. The URL
domain is a fraudulent lookalike domain.

There is an extensive configuration section at the top of the script. The "jmpUrlList" provides the initial C&C
servers, which are used to determine the secondary C&C server as well as additional commands to execute. It is
worth noting that the secondary C&C may be the same as the first. We have observed attacker‑controlled web
servers, compromised victim web servers, and Technet and Pastebin web pages used for the initial C&C.

The initial C&C response is parsed with a regex. The backdoor first looks for the secondary encoded C&C server
using the "jmpRegex" regex. Next, the backdoor looks for additional code to execute using the "codeRegex"
regex. For additional code, we observed simple code blocks that provide a different upload/download
functionality.

Figure 13: The encoded response "vcmQx3ELgTyTyOVSvsm7wrBKwraFw8VFwCuL" in the image above
decodes to "hxxp://www.vitaminmain[.]info" which is the secondary C&C server for an older backdoor variant
(Decoder provided in Appendix).

MockDll

Some versions of the Orz backdoor have 32‑ and 64‑bit embedded DLLs, stored internally as base64 strings.


-----

like that shown in Figure 14:

Figure 14: MockDll configuration file

mock: defaults to 'regsvr32'

real: the dll, which is the ultimate goal to execute

args: arguments to the dll that will be executed, if any

outf: file in which to write results of the MockDll run

time: timeout defaults to 5

After the configuration file is created, the MockDll is executed with regsvr32. MockDll reads the mentioned .ini
config file to determine what to execute. It can log its execution results into a file specified by the “outf”
parameter, as shown in Figure 15:

Figure 15: Contents of the log file created by MockDll

SeDll

This DLL is used for decrypting and executing another JavaScript backdoor such as Orz. The DLL is registered
by the installer using regsvr32. The DllRegisterServer export is then called, which performs checks on the
commandline parameter. If the string “DR” is passed as an argument, or if the DLL is running in the active
session with a username that is not “system”, the final JavaScript backdoor is decoded using a custom base64
alphabet. This backdoor has to be present in the same directory as the dll, with a “.tmp” file extension. The
backdoor script is then executed using the IActiveScript and IActiveScriptParse32 COM interfaces.

Figure 16: Decoding and executing of the JavaScript backdoor

If those conditions are not met, it runs the following command line “"regsvr32 /s \"%s\" DR __CIM__"” to register
the DLL, where %s is the path to the DLL. It tries to do this with the current user privileges, but if the privileges
cannot be adjusted it defaults to the available execution environment.

Cobalt Strike

This is a penetration testing tool. The attackers often abuse the free trial version.


-----

This actor, whose espionage activities primarily focus on targets in the US and Western Europe with military ties,
has been active since at least 2014. The tools, techniques, and targets consistently connect their work,
particular given their attention to naval and maritime defense interests and use of custom backdoors. While
defense contractors and academic research centers with military ties should always be cognizant of the
potential for cyberattacks, organizations fitting their targeting profiles should be especially wary of legitimate‑
looking but unsolicited emails from outside entities. Appropriate layered defenses at the firewall, email gateway,
and endpoint can all help prevent the kinds of lateral movement we have observed with this actor, as well as the
compromise and abuse of systems via which this group expands its attack surface to other organizations.

References

[1] [https://www.fireeye.com/blog/threat‑research/2017/09/zero‑day‑used‑to‑distribute‑finspy.html](https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html)

[2] [https://twitter.com/James_inthe_box/status/893525493059788800](https://twitter.com/James_inthe_box/status/893525493059788800)

[3] [https://labsblog.f‑secure.com/2016/08/04/nanhaishu‑rating‑the‑south‑china‑sea/](https://labsblog.f-secure.com/2016/08/04/nanhaishu-rating-the-south-china-sea/)

[4] https://community.spiceworks.com/topic/1028936‑stealthy‑cyberespionage‑campaign‑attacks‑with‑social‑
engineering

[5] [http://blog.trendmicro.com/trendlabs‑security‑intelligence/mouseover‑otlard‑gootkit/](http://blog.trendmicro.com/trendlabs-security-intelligence/mouseover-otlard-gootkit/)

[6] https://www.carbonblack.com/2016/04/28/threat‑advisory‑squiblydoo‑continues‑trend‑of‑attackers‑using‑
native‑os‑tools‑to‑live‑off‑the‑land/

Indicators of Compromise (IOCs)

IOC IOC Description
Type

cdf6e2e928a89cbb857e688055a25e37a8d8b8b90530bd52c8548fb544f66f1f SHA256 Resume.rtf exploiting CVE‑
2017‑8759 (Sep 19, 2017)

c7fa6f27ec4f4142ae591f2dd7c63d046431945f03c87dbed88d79f55180a46d SHA256 ARLUAS_FieldLog_2017‑08‑
21.doc exploiting CVE‑2017‑
8759 (Sep 19, 2017)

ftp://185.106.120[.]206/pub/readme.txt URL Resume.rtf downloading
scripts (Sep 19, 2017)

hxxp://185.106.120[.]206/favicon.ico URL Resume.rtf downloading
scripts (Sep 19, 2017)

39c952c7e14b6be5a9cb1be3f05eafa22e1115806e927f4e2dc85d609bc0eb36 SHA256 Favicon.ico (Sep 19, 2017)

5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362 SHA256 Cobalt Strike (Sep 19, 2017)

ced7ca9625543d3d3d09f70223cc19f0d99e21792854452df5ba84b3a59d17b8 SHA256 20170720_final_pm_app‑
2.doc (August
2017)Document hash
(August 2017)

305f331bfb1e97028f8c92cbcb1dff2741dcddacc76843e65f9b1ec5a66f52bc SHA256 Publisher hash (August
2017)

bfc5c6817ff2cc4f3cd40f649e10cc9ae1e52139f35fdddbd32cb4d221368922 SHA256 MockDll 32‑bit (August
2017)

|IOC|IOC Type|Description|
|---|---|---|
|cdf6e2e928a89cbb857e688055a25e37a8d8b8b90530bd52c8548fb544f66f1f|SHA256|Resume.rtf exploiting CVE‑ 2017‑8759 (Sep 19, 2017)|
|c7fa6f27ec4f4142ae591f2dd7c63d046431945f03c87dbed88d79f55180a46d|SHA256|ARLUAS_FieldLog_2017‑08‑ 21.doc exploiting CVE‑2017‑ 8759 (Sep 19, 2017)|
|ftp://185.106.120[.]206/pub/readme.txt|URL|Resume.rtf downloading scripts (Sep 19, 2017)|
|hxxp://185.106.120[.]206/favicon.ico|URL|Resume.rtf downloading scripts (Sep 19, 2017)|
|39c952c7e14b6be5a9cb1be3f05eafa22e1115806e927f4e2dc85d609bc0eb36|SHA256|Favicon.ico (Sep 19, 2017)|
|5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362|SHA256|Cobalt Strike (Sep 19, 2017)|
|ced7ca9625543d3d3d09f70223cc19f0d99e21792854452df5ba84b3a59d17b8|SHA256|20170720_final_pm_app‑ 2.doc (August 2017)Document hash (August 2017)|
|305f331bfb1e97028f8c92cbcb1dff2741dcddacc76843e65f9b1ec5a66f52bc|SHA256|Publisher hash (August 2017)|


-----

|80b931ab1798d7d8a8d63411861cee07e31bb9a68f595f579e11d3817cfc4aca|SHA256|MockDll 32‑bit (August 2017)|
|---|---|---|
|146aa9a0ec013aa5bdba9ea9d29f59d48d43bc17c6a20b74bb8c521dbb5bc6f4|SHA256|green.ddd SeDll (August 2017)|
|4029b43c7febd05e8bf013c1022244aaa238341ca44bbce2250667614c1a4932|SHA256|2014 Accomplishments Input Template.xls (December 2014)|
|hxxp://www.vitaminmain[.]info|URL|Orz secondary C2 (December 2014)|


ET and ETPRO Suricata/Snort Coverage

2024192 | ET EXPLOIT Possible CVE‑2017‑0199 HTA Inbound

2024196 | ET WEB_CLIENT HTA File containing Wscript.Shell Call ‑ Potential CVE‑2017‑0199

2022520 | ET POLICY Possible HTA Application Download

2024197 | ET CURRENT_EVENTS SUSPICIOUS MSXMLHTTP DL of HTA (Observed in CVE‑2017‑0199)

2024449 | ET CURRENT_EVENTS SUSPICIOUS Possible CVE‑2017‑0199 IE7/NoCookie/Referer HTA dl

2814013 | ETPRO TROJAN Meterpreter or Other Reverse Shell SSL Cert

2023629 | ET INFO Suspicious Empty SSL Certificate ‑ Observed in Cobalt Strike

2810628 | ETPRO TROJAN JavaScript Backdoor CnC Beacon M2 (b64 3)

2828317 | ETPRO TROJAN Orz JavaScript Backdoor Communicating with CnC

2828316 | ETPRO TROJAN Orz JavaScript Backdoor Sending Password to CnC

Appendix: Orz Traffic Decoder

var _keyStr = "oMZF/W42VkcCbqOiPSajhnKtQws8NRAxr16XJpu=0mgE3THGLlvz9+5BDYd7feyUI";

function decode (input) {

var output = "";

var chr1, chr2, chr3;

var enc1, enc2, enc3, enc4;

var i = 0;

input = input.replace(/[^A‑Za‑z0‑9\+\/\=]/g, "");

while (i < input.length) {

enc1 = this._keyStr.indexOf(input.charAt(i++));

enc2 = this._keyStr.indexOf(input.charAt(i++));

enc3 = this._keyStr.indexOf(input.charAt(i++));

enc4 = this._keyStr.indexOf(input.charAt(i++));

chr1 = (enc1 << 2) | (enc2 >> 4);


-----

output = output + String.fromCharCode(chr1);

if (enc3 != 64) {

output = output + String.fromCharCode(chr2);

}

if (enc4 != 64) {

output = output + String.fromCharCode(chr3);

}

}

output = this._utf8_decode(output);

return output;

}

function _utf8_decode (utftext) {

var string = "";

var i = 0;

var c = c1 = c2 = 0;

while ( i < utftext.length ) {

c = utftext.charCodeAt(i);

if (c < 128) {

string += String.fromCharCode(c);

i++;

} else if((c > 191) && (c < 224)) {

c2 = utftext.charCodeAt(i+1);

string += String.fromCharCode(((c & 31) << 6) | (c2 & 63));

i += 2;

} else {

c2 = utftext.charCodeAt(i+1);

c3 = utftext.charCodeAt(i+2);

string += String.fromCharCode(((c & 15) << 12) | ((c2 & 63) << 6) | (c3 & 63));

i += 3;

}

}

return string;

}

var decodeme =


-----

document.write(res);


-----