Cybersecurity Experts Warn of a Rise in Lyceum Hacker Group Activities in Tunisia

Cyber Security

Products You May Like

A threat actor, previously known for striking organizations in the energy and telecommunications sectors across the Middle East as early as April 2018, has evolved its malware arsenal to strike two entities in Tunisia.

Security researchers at Kaspersky, who presented their findings at the VirusBulletin VB2021 conference earlier this month, attributed the attacks to a group tracked as Lyceum (aka Hexane), which was first publicly documented in 2019 by Secureworks.

Automatic GitHub Backups

“The victims we observed were all high-profile Tunisian organizations, such as telecommunications or aviation companies,” researchers Aseel Kayal, Mark Lechtik, and Paul Rascagneres detailed. “Based on the targeted industries, we assume that the attackers might have been interested in compromising such entities to track the movements and communications of individuals of interest to them.”

Analysis of the threat actor’s toolset has shown that the attacks have shifted from leveraging a combination of PowerShell scripts and a .NET-based remote administration tool referred called “DanBot” to two new malware variants written in C++ referred to as “James” and “Kevin” owing to the recurring use of the names in the PDB paths of the underlying samples.

While the “James” sample is heavily based on the DanBot, “Kevin” comes with major changes in architecture and communication protocol, with the group predominantly relying on the latter as of December 2020, indicating an attempt to revamp its attack infrastructure in response to public disclosure.

That said, both the artifacts support communication with a remote command-and-server server via custom-designed protocols tunneled over DNS or HTTP, mirroring the same technique as that of DanBot. In addition, the attackers are also believed to have deployed a custom keylogger as well as a PowerShell script in compromised environments to record keystrokes and plunder credentials stored in web browsers.

Prevent Ransomware Attacks

The Russian cybersecurity vendor said that the attack methods used in the campaign against Tunisian companies resembled techniques previously attributed to hacking operations associated with the DNSpionage group, which, in turn, has exhibited tradecraft overlaps to an Iranian threat actor dubbed OilRig (aka APT34), while calling out the “significant similarities” between lure documents delivered by Lyceum in 2018-2019 and those used by DNSpionage.

“With considerable revelations on the activity of DNSpionage in 2018, as well as further data points that shed light on an apparent relationship with APT34, […] the latter may have changed some of its modus operandi and organizational structure, manifesting into new operational entities, tools and campaigns,” the researchers said. “One such entity is the Lyceum group, which after further exposure by Secureworks in 2019, had to retool yet another time.”

Products You May Like

Articles You May Like

Realme Buds Air 6 Royal Violet Colour Variant to Launch in India on July 15
Oura Ring Reportedly Gets an AI-Powered Oura Advisor Feature That Offers Personalised Insights
Snapdragon X Series Chips Reportedly Outperform Some Apple, Intel and AMD Processors in Benchmark Tests
iPhone Could Reportedly Get Apple Intelligence and Siri Features in Spring 2025 With iOS 18.4 Update
OTT Releases This Week: 36 Days, Pill, Wild Wild Punjab and More

Leave a Reply

Your email address will not be published. Required fields are marked *