Mysterious cyber espionage campaign uses 'torpedo' lure to trick you into downloading malware

Researchers at Proofpoint say the 'Leviathan' threat group is regularly launching phishing and malware attacks in an effort to steal sensitive data
Written by Danny Palmer, Senior Writer

The attack group has launched several campaigns against maritime and defence contractors.

Image: iStock

An espionage group is launching cyber attacks against organisations in the maritime and defence sectors in what's highly likely to be an effort to steal confidential information and research data.

Dubbed Leviathan, the group has been active since at least 2014 and takes particular interest in maritime industries, naval defence contractors and associated university research institutions as well as related government and legal agencies.

Organisations targeted by the campaign are mostly in the US and Western Europe, with while some targets are active in the South China Sea.

Military and defence contractors are often the target of cyber attacks and researchers at Proofpoint recently detected new campaigns targeting US shipbuilding companies and a university research centre with military ties. Researchers dubbed the threat Leviathan due to its focus on organisations related to naval technology and maritime interests.

Phishing emails distributed in mid-September used references to job applications, resumes and a "Torpedo recovery experiment" in an effort to lure targets into messages containing malicious Microsoft Excel and Word documents laced with macros.

The malicious documents leveraged CVE-2017-8759, a parser code vulnerability which allows attackers to inject code to execute Visual Basic scripts containing PowerShell commands for the installation of malware. Researchers note that the zero-day was only discovered days before the campaign, indicating the attackers are quick to exploit new attack vectors.

In addition to the September campaign, researchers say the same attackers sent spear-phishing emails containing malicious URLs to multiple defence contractors in August. The messages contain lures ranging from fake Microsoft licensing agreements to phony messages purporting to be from companies involved with the building of military ships, submarines and other vessels.

This version of the campaign leveraged CVE-2017-0199, a remote code execution vulnerability in the way Microsoft Office and Wordpad parse specially crafted files, which can ultimately enable attackers to take full control of an infected system.

The vulnerability was patched in April, but the attackers are likely aware of how many organisations are slow to get round to installing updates.

See also: Cybercrime and cyberwar: A spotter's guide to the groups that are out to get you

If successful in compromising a system, the actor behind the attack looks to create backdoors in the system, installing Trojan malware. They include Orz - also known as Core - a backdoor Trojan which can gather information, download and update files and execute commands.

The attackers are also known to leverage NanHaiShu, a remote access Trojan which is able to send any information from an infected machine to command and control infrastructure run by attackers.

The Javascript backdoor has been used in various campaigns, including one targeting governments and private sector organisations involved in the dispute over territory and sovereignty in the South China Sea, a campaign which F-Secure linked to the Chinese government.

Proofpoint, on the other hand, haven't attributed the latest attacks against US defence and naval contractors to any particular actor on the basis there's not enough data to do so.

What researchers do say is the behaviour of this threat actor reflects the techniques of modern advanced threats, including narrow targeting with email lures and document themes relevant to intelligence gathering goals and the use of compromised infrastructure to launch additional attacks.

The attackers have also been seen to employ the rapid adoption of new vulnerabilities and innovation in malware installation and multi-stage payloads designed to evade detection by endpoint and network-based defences, indicating that the group is well organised and well funded.


Editorial standards