Lyceum, a beforehand recognized risk actor related to focused assaults on organizations within the Center East, has resurfaced with new malware and techniques much like these utilized by a harmful superior persistent risk (APT) group working out of Iran.
Safety researchers at Kaspersky mentioned they noticed the brand new Lyceum exercise targeted on two entities in Tunisia. The safety vendor’s evaluation of the assaults confirmed Lyceum has advanced its malware from the earlier PowerShell scripts and a .NET-based distant administration instrument known as DanBot and to new malware written in C++.
Kaspersky has separated the brand new malware into two teams or variants, one dubbed James and the opposite Kevin, based mostly on names the safety vendor continuously got here throughout within the malicious code. Each new variants — like DanBot — are designed to speak with their command-and-control servers over safe DNS and HTTP tunneling, making the malicious exercise onerous to detect.
Along with the brand new James and Kevin malware variants, Kaspersky additionally noticed Lyceum utilizing one other instrument in its current assaults that seems to not comprise any mechanism for community communications. The corporate surmised the malware is probably going designed to proxy visitors between inner methods on an already compromised community. Additionally new in Lyceum’s toolkit is a PowerShell script for stealing person credentials from browsers, in addition to a customized keylogger that seems designed for a similar goal.
“Our investigation into Lyceum has proven that the group has advanced its arsenal through the years and shifted its utilization” from beforehand documented malware to new instruments, Kaspersky mentioned in a report summarizing Lyceum’s new exercise this week.
Lyceum first appeared on the radar in August 2019 when Secureworks
reported observing the group focusing on organizations within the oil and gasoline and telecommunications sectors within the Center East. The safety vendor on the time described the risk group as possible having been lively since no less than April 2018 based mostly on area registrations connecting Lyceum assaults on South African targets.
Secureworks mentioned its investigation confirmed that Lyceum usually gained preliminary entry to focus on networks utilizing account credentials the group managed to beforehand purchase by means of password-spraying or brute-force assaults. The group’s techniques, methods, and procedures (TTPs) resembled these utilized by different teams targeted on strategically vital Center Jap targets, corresponding to OilRig (aka APT34) and Cobalt Trinity (aka APT33 and Elfin). Nonetheless, the similarities weren’t robust sufficient to help a direct connection between Lyceum and the opposite risk teams, Secureworks famous.
Kaspersky this week reiterated these similarities, however like Secureworks stopped wanting making any direct connections between Lyceum’s actions and people of beforehand recognized Iranian risk actors. In response to the corporate, its evaluation confirmed sure high-level similarities between Lyceum’s actions and people of one other risk actor known as DNSpionage that in 2018 was noticed attacking targets in Lebanon and the United Arab Emirates utilizing DNS redirects. DNSpionage in flip was linked to OilRig exercise, Kaspersky mentioned. The similarities between Lyceum and DNSpionage embrace targets in the identical areas, using DNS and pretend web sites to tunnel command and management visitors, and similarities within the paperwork used to lure victims into clicking on malicious attachments.
Along with a abstract of its findings, Kaspersky this week launched a presentation from a current convention the place it supplied technical particulars on Lyceum’s new exercise.