The cyberespionage group Leviathan is targeting high-value targets in the maritime industries, naval defense contractors, and associated research institutions in the United States, Western Europe, and the South China Sea.
Proofpoint researchers said the threat group has been active since at least 2014 and uses a custom JavaScript malware known as “Orz” and “NanHaiShu”, Cobalt Strike, the SeDll JavaScript loader, and MockDll dll loader, according to an Oct. 16 blog post.
The malware looks to exploit Microsoft Excel and Word documents with using recent vulnerabilities including CVE-2017-0199 and CVE-2017-8759, and malicious Microsoft Publisher files, researchers said adding threat actors sometimes utilizes access at one compromised organization to attack the next.
“For example, compromised email accounts at one organization were used to send the next wave of malicious attachments to potential victims in the same industry,” the post said. “Similarly the actor attempts to compromise servers within victim organizations and use them for command and control (C&C) for their malware.”
Researchers said appropriate layered defenses at the firewall, email gateway, and endpoint can help prevent attackers from moving lateral within and organization and prevent compromise.
