Lyceum, a beforehand recognized menace actor related to focused assaults on organizations within the Center East, has resurfaced with new malware and ways just like these utilized by a harmful superior persistent menace (APT) group working out of Iran.
Safety researchers at Kaspersky mentioned they noticed the brand new Lyceum exercise centered on two entities in Tunisia. The safety vendor’s evaluation of the assaults confirmed Lyceum has advanced its malware from the earlier PowerShell scripts and a .NET-based distant administration instrument referred to as DanBot and to new malware written in C++.
Kaspersky has separated the brand new malware into two teams or variants, one dubbed James and the opposite Kevin, based mostly on names the safety vendor continuously got here throughout within the malicious code. Each new variants — like DanBot — are designed to speak with their command-and-control servers over safe DNS and HTTP tunneling, making the malicious exercise onerous to detect.
Along with the brand new James and Kevin malware variants, Kaspersky additionally noticed Lyceum utilizing one other instrument in its current assaults that seems to not comprise any mechanism for community communications. The corporate surmised the malware is probably going designed to proxy visitors between inside techniques on an already compromised community. Additionally new in Lyceum’s toolkit is a PowerShell script for stealing person credentials from browsers, in addition to a customized keylogger that seems designed for a similar goal.
“Our investigation into Lyceum has proven that the group has advanced its arsenal through the years and shifted its utilization” from beforehand documented malware to new instruments, Kaspersky mentioned in a report summarizing Lyceum’s new exercise this week.
Lyceum first appeared on the radar in August 2019 when Secureworks
reported observing the group focusing on organizations within the oil and gasoline and telecommunications sectors within the Center East. The safety vendor on the time described the menace group as possible having been lively since a minimum of April 2018 based mostly on area registrations connecting Lyceum assaults on South African targets.
Secureworks mentioned its investigation confirmed that Lyceum usually gained preliminary entry to focus on networks utilizing account credentials the group managed to beforehand purchase by password-spraying or brute-force assaults. The group’s ways, methods, and procedures (TTPs) resembled these utilized by different teams centered on strategically vital Center Jap targets, reminiscent of OilRig (aka APT34) and Cobalt Trinity (aka APT33 and Elfin). Nonetheless, the similarities weren’t sturdy sufficient to help a direct connection between Lyceum and the opposite menace teams, Secureworks famous.
Kaspersky this week reiterated these similarities, however like Secureworks stopped in need of making any direct connections between Lyceum’s actions and people of beforehand recognized Iranian menace actors. Based on the corporate, its evaluation confirmed sure high-level similarities between Lyceum’s actions and people of one other menace actor referred to as DNSpionage that in 2018 was noticed attacking targets in Lebanon and the United Arab Emirates utilizing DNS redirects. DNSpionage in flip was linked to OilRig exercise, Kaspersky mentioned. The similarities between Lyceum and DNSpionage embody targets in the identical areas, using DNS and faux web sites to tunnel command and management visitors, and similarities within the paperwork used to lure victims into clicking on malicious attachments.
Along with a abstract of its findings, Kaspersky this week launched a presentation from a current convention the place it offered technical particulars on Lyceum’s new exercise.