Cybersecurity Specialists Warn of a Rise in Lyceum Hacker Group Actions in Tunisia

Cybersecurity Experts Warn of a Rise in Lyceum Hacker Group Activities in Tunisia

A risk actor, beforehand identified for placing organizations within the power and telecommunications sectors throughout the Center East as early as April 2018, has developed its malware arsenal to strike two entities in Tunisia.

Safety researchers at Kaspersky, who introduced their findings on the VirusBulletin VB2021 convention earlier this month, attributed the assaults to a bunch tracked as Lyceum (aka Hexane), which was first publicly documented in 2019 by Secureworks.

Automatic GitHub Backups

“The victims we noticed have been all high-profile Tunisian organizations, reminiscent of telecommunications or aviation firms,” researchers Aseel Kayal, Mark Lechtik, and Paul Rascagneres detailed. “Primarily based on the focused industries, we assume that the attackers may need been focused on compromising such entities to trace the actions and communications of people of curiosity to them.”

Evaluation of the risk actor’s toolset has proven that the assaults have shifted from leveraging a mix of PowerShell scripts and a .NET-based distant administration instrument referred referred to as “DanBot” to 2 new malware variants written in C++ known as “James” and “Kevin” owing to the recurring use of the names within the PDB paths of the underlying samples.

Whereas the “James” pattern is closely based mostly on the DanBot, “Kevin” comes with main modifications in structure and communication protocol, with the group predominantly counting on the latter as of December 2020, indicating an try and revamp its assault infrastructure in response to public disclosure.

That stated, each the artifacts help communication with a distant command-and-server server by way of custom-designed protocols tunneled over DNS or HTTP, mirroring the identical approach as that of DanBot. As well as, the attackers are additionally believed to have deployed a {custom} keylogger in addition to a PowerShell script in compromised environments to report keystrokes and plunder credentials saved in net browsers.

Prevent Data Breaches

The Russian cybersecurity vendor stated that the assault strategies used within the marketing campaign towards Tunisian firms resembled strategies beforehand attributed to hacking operations related to the DNSpionage group, which, in flip, has exhibited tradecraft overlaps to an Iranian risk actor dubbed OilRig (aka APT34), whereas calling out the “important similarities” between lure paperwork delivered by Lyceum in 2018-2019 and people utilized by DNSpionage.

“With appreciable revelations on the exercise of DNSpionage in 2018, in addition to additional information factors that make clear an obvious relationship with APT34, […] the latter could have modified a few of its modus operandi and organizational construction, manifesting into new operational entities, instruments and campaigns,” the researchers stated. “One such entity is the Lyceum group, which after additional publicity by Secureworks in 2019, needed to retool one more time.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts