Lyceum APT Returns, This Time Targeting Tunisian Firms

The Lyceum danger group has resurfaced, this time with a unusual variant of a distant-obtain trojan (RAT) that doesn’t have a way to converse to a command-and-control (C2) server and may possibly as an alternative be a new way to proxy traffic concerning internal network clusters.

Kaspersky’s Mark Lechtik – senior security researcher at the company’s International Study & Evaluation Staff (Terrific) – said in a Monday put up that the crew has determined a new cluster of Lyceum action that is focused on two entities in Tunisia.

In a paper (PDF) introduced previously this thirty day period at the Virus Bulletin conference, Lechtik and fellow Kaspersky researchers Aseel Kayal and Paul Rascagneres wrote that the threat actor has attacked significant-profile Tunisian organizations, this sort of as telecoms or aviation organizations.

That fits into the group’s concentrate on checklist. Lyceum has been active because as early as April 2018, when it attacked telecoms, and critical infrastructure in Center Japanese oil-and-gas companies. Lyceum treads frivolously but carries a big stick: “All the even though it has stored a low profile, drawing very little awareness from security researchers,” the trio of scientists wrote.

The Lyceum team (aka Hexane) was to start with uncovered in 2019 by Secureworks, which spotted the group targeting Middle Japanese energy companies and telecoms with malware-laced spearphishing e-mails.

Back then, Lyceum was using numerous PowerShell scripts and a novel .NET-dependent remote-access trojan (RAT) named DanBot, which deployed put up-intrusion tools to distribute across infected companies’ networks, steal credentials and other account information and facts, and log keystrokes. DanBot communicated with a C2 server by way of tailor made-developed protocols about DNS or HTTP.

Kaspersky’s new Lyceum findings ended up sparked by a PowerShell script (MD5: 94eac052ea0a196a4600e4ef6bec9de2) that was submitted to VirusTotal in last November, and which served scientists to observe the menace group’s more recent tracks.

“The script is obfuscated and Foundation64-encoded, suggesting that it was maybe seeking to evade detection in a victim’s surroundings,” in accordance to the paper. “But immediately after de-obfuscating it, the ensuing code demonstrates many comments that had been remaining by the attackers, detailing what the script does and even detailing the alterations from preceding versions. Some of the functions were also marked as obsolete, suggesting that this script is maybe a do the job in development.”

When it’s kept rather peaceful, Lyceum has not been silent. In point, Kaspersky has uncovered more than enough threads to tie it again to the APT34/OilRig risk actor, as comprehensive beneath.

Off of .NET, Onto C++

The group’s tracks clearly show that Lyceum’s arsenal has evolved. The group has shifted from its earlier .NET malware and on to new variations composed in C++. Kaspersky has outlined two clusters of variants, named “James” and “Kevin” simply just for the reason that these had been the names on the techniques utilized to compile the malware.

All those DanBot variants cropped up a few months after Secureworks posted its results about Lyceum, suggesting that the publicity place some harm on the team, as Kayal observed for the duration of the Virus Bulletin conference:

“There is a time hole of a few of months among the earlier documented DanBot and the two newer variants,” she reported. “We imagine that this is possibly because of to SecureWorks’ publication, and that the attackers might have determined to introduce some improvements to their toolset right after some of them ended up exposed in this report.”

Both equally of the new DanBot variants, like the primary DanBot, support very similar custom C2 protocols tunneled above DNS or HTTP, Lechtik stated in his Monday transient. “That claimed, we also recognized an strange variant that did not consist of any mechanism for network interaction,” he reported. “We think that it was used as a indicates to proxy traffic between two internal network clusters.”

Kevin, You Weirdo

Kaspersky thinks that the Kevin variant may perhaps “represent a new department of growth in the group’s arsenal,” according to the paper.

The variant very first appeared in June 2020, with most samples carrying a string signifying that it was an internal version named v1..2. Then, 10 months back, in December, a new wave of samples from the Kevin variant emerged, carrying the version variety v2.1..2.

The variant launched variations in conversation protocols and is mainly compiled for 64-little bit methods. Its objective is “to facilitate a interaction channel that passes arbitrary commands to be executed by the implant,” according to Kaspersky’s writeup.

“To do this, the malware requests information that will be developed in the file technique and created with commands received from the server employing a specified structure,” the paper ongoing. “The contents of the file will be read and interpreted by the implant according to that structure, in which predefined key terms will be changed with particular malware-associated paths or utilized to update interior run-time configurations. In transform, the commands will be executed, issuing the response again to the server.”

But right before conversation occurs, the Kevin variant might bootstrap and prepare the target ecosystem for its execution by way of a established of actions common to a ton of its samples, as researchers explained.

A partial listing of those people actions:

• Hides the present-day window from the user using the ‘ShowWindow’ API purpose.
• Creates a mutex with a decreased-case GUID price that is hard coded in the binary.
• Checks the arguments with which it was executed. It is mandatory that the to start with argument is equal to a version selection (e.g., v1..2 or v2.1..2). “We evaluate that this could have been integrated in buy to stay away from total execution of the malware features in sandboxed environments,” the researchers spelled out.

Tracing the Threads to Other APTs

Kaspersky researchers reported that they found sure similarities concerning Lyceum and the infamous condition-sponsored campaign from the DNSpionage team, which scooped up qualifications by targeting countrywide security companies across the Center East and North Africa (MENA) – and in other places – with domain identify method (DNS) hijacking attacks.

DNSpionage is in transform affiliated with APT34/OilRig, Lechtik reported in his Monday writeup: An sophisticated persistent threat (APT) that launched a sequence of cyberattacks on a Center Japanese telecom in July 2020.

“Besides similar geographical goal choices, and the use of DNS or fake web sites to tunnel C2 information as a TTP [tactics, techniques and procedures), we were able to trace significant similarities between lure documents delivered by Lyceum in the past and those used by DNSpionage,” he wrote. “These were made evident through a common code structure and choices of variable names.”

The researchers noted that Lyceum’s modus operandi “bears a striking resemblance to that of APT34/OilRig.”

According to the paper, “Both groups have similar geopolitical targeting, and prefer to use DNS tunneling in the different payloads they have developed over the years. Although we did not find conclusive evidence to support this, we did notice some similarities between the delivery documents used by Lyceum back in 2018-2019 and those by DNSpionage, which is also believed to have ties to OilRig.”

As well, the macros embedded in documents from the two groups share the same variable names and a similar code structure, as shown below.

Attacks Started with Excel Docs

When Lyceum/Hexane was first exposed, its attacks were started with Excel documents boobytrapped with malicious macros. One of the observed attacks used messages promising to display a list of events related to industrial control systems or to Middle Eastern gas-and-oil content. Another malicious spreadsheet pretended to be related to security, purporting to contain a list of the worst passwords since 2017.

In its recent investigation, Kaspersky identified some of Lyceum’s other MOs, including some of the commands the attackers used within the compromised environments, as well as how user credentials stored in browsers were stolen by using a PowerShell script, and details about a custom keylogger deployed on some of the targeted machines.

Kaspersky’s paper takes a deep dive into the technical aspects of its investigation into Lyceum, but the TL;DR version is that the APT didn’t blink out of existence following its discovery in 2019, and we’ll likely hear more about it still.

“With considerable revelations on the activity of DNSpionage in 2018, as well as further data points that shed light on an apparent relationship with APT34, we can assess that the latter may have changed some of its modus operandi and organizational structure, manifesting into new operational entities, tools and campaigns,” according to Kaspersky’s paper.

Lyceum=Outgrowth of DNSpionage?

One of the new operational arms of DNSpionage is, in fact, Lyceum, Kaspersky asserted. “After further exposure by Secureworks in 2019, [Lyceum] had to retool nevertheless a different time,” main to the campaign Kaspersky explained in its paper.

Lyceum hasn’t ceased procedure instead, the group has “attempted to gain a foothold on the specific networks time and time yet again,” the scientists claimed.

The APT has not only stored up its tried attacks via 2021. And, its samples also present code versions that issue to the team having began to retool as soon as all over again.

“With the exposure of this publication, we assess that Lyceum will continue on to be energetic, using renewed malware and TTPs and changing its capabilities to conduct espionage and counterintelligence functions in the Middle East,” the scientists predicted.

Examine out our cost-free approaching live and on-demand from customers on line city halls – exclusive, dynamic conversations with cybersecurity specialists and the Threatpost group.