Cybersecurity Specialists Warn of a Rise in Lyceum Hacker Group Actions in Tunisia


A risk actor, beforehand recognized for putting organizations within the power and telecommunications sectors throughout the Center East as early as April 2018, has developed its malware arsenal to strike two entities in Tunisia.

Safety researchers at Kaspersky, who introduced their findings on the VirusBulletin VB2021 convention earlier this month, attributed the assaults to a gaggle tracked as Lyceum (aka Hexane), which was first publicly documented in 2019 by Secureworks.

Automatic GitHub Backups

“The victims we noticed have been all high-profile Tunisian organizations, akin to telecommunications or aviation firms,” researchers Aseel Kayal, Mark Lechtik, and Paul Rascagneres detailed. “Based mostly on the focused industries, we assume that the attackers might need been fascinated by compromising such entities to trace the actions and communications of people of curiosity to them.”

Evaluation of the risk actor’s toolset has proven that the assaults have shifted from leveraging a mixture of PowerShell scripts and a .NET-based distant administration device referred known as “DanBot” to 2 new malware variants written in C++ known as “James” and “Kevin” owing to the recurring use of the names within the PDB paths of the underlying samples.

Whereas the “James” pattern is closely primarily based on the DanBot, “Kevin” comes with main modifications in structure and communication protocol, with the group predominantly counting on the latter as of December 2020, indicating an try to revamp its assault infrastructure in response to public disclosure.

That stated, each the artifacts help communication with a distant command-and-server server through custom-designed protocols tunneled over DNS or HTTP, mirroring the identical method as that of DanBot. As well as, the attackers are additionally believed to have deployed a {custom} keylogger in addition to a PowerShell script in compromised environments to report keystrokes and plunder credentials saved in net browsers.

Enterprise Password Management

The Russian cybersecurity vendor stated that the assault strategies used within the marketing campaign in opposition to Tunisian firms resembled methods beforehand attributed to hacking operations related to the DNSpionage group, which, in flip, has exhibited tradecraft overlaps to an Iranian risk actor dubbed OilRig (aka APT34), whereas calling out the “important similarities” between lure paperwork delivered by Lyceum in 2018-2019 and people utilized by DNSpionage.

“With appreciable revelations on the exercise of DNSpionage in 2018, in addition to additional information factors that make clear an obvious relationship with APT34, […] the latter could have modified a few of its modus operandi and organizational construction, manifesting into new operational entities, instruments and campaigns,” the researchers stated. “One such entity is the Lyceum group, which after additional publicity by Secureworks in 2019, needed to retool yet one more time.”



Leave A Reply

Your email address will not be published.