Group With Potential Hyperlinks to Iranian Menace Actor Resurfaces



Lyceum, a beforehand identified menace actor related to focused assaults on organizations within the Center East, has resurfaced with new malware and ways just like these utilized by a harmful superior persistent menace (APT) group working out of Iran.
Safety researchers at Kaspersky mentioned they noticed the brand new Lyceum exercise targeted on two entities in Tunisia. The safety vendor’s evaluation of the assaults confirmed Lyceum has advanced its malware from the earlier PowerShell scripts and a .NET-based distant administration instrument known as DanBot and to new malware written in C++.
Kaspersky has separated the brand new malware into two teams or variants, one dubbed James and the opposite Kevin, based mostly on names the safety vendor continuously got here throughout within the malicious code. Each new variants — like DanBot — are designed to speak with their command-and-control servers over safe DNS and HTTP tunneling, making the malicious exercise exhausting to detect.
Along with the brand new James and Kevin malware variants, Kaspersky additionally noticed Lyceum utilizing one other instrument in its latest assaults that seems to not include any mechanism for community communications. The corporate surmised the malware is probably going designed to proxy visitors between inside techniques on an already compromised community. Additionally new in Lyceum’s toolkit is a PowerShell script for stealing person credentials from browsers, in addition to a customized keylogger that seems designed for a similar objective.
“Our investigation into Lyceum has proven that the group has advanced its arsenal through the years and shifted its utilization” from beforehand documented malware to new instruments, Kaspersky mentioned in a report summarizing Lyceum’s new exercise this week.
Lyceum first appeared on the radar in August 2019 when Secureworks
reported observing the group concentrating on organizations within the oil and gasoline and telecommunications sectors within the Center East. The safety vendor on the time described the menace group as probably having been energetic since no less than April 2018 based mostly on area registrations connecting Lyceum assaults on South African targets.
Secureworks mentioned its investigation confirmed that Lyceum sometimes gained preliminary entry to focus on networks utilizing account credentials the group managed to beforehand purchase via password-spraying or brute-force assaults. The group’s ways, strategies, and procedures (TTPs) resembled these utilized by different teams targeted on strategically essential Center Japanese targets, equivalent to OilRig (aka APT34) and Cobalt Trinity (aka APT33 and Elfin). Nonetheless, the similarities weren’t robust sufficient to assist a direct connection between Lyceum and the opposite menace teams, Secureworks famous.
Kaspersky this week reiterated these similarities, however like Secureworks stopped wanting making any direct connections between Lyceum’s actions and people of beforehand identified Iranian menace actors. In line with the corporate, its evaluation confirmed sure high-level similarities between Lyceum’s actions and people of one other menace actor known as DNSpionage that in 2018 was noticed attacking targets in Lebanon and the United Arab Emirates utilizing DNS redirects. DNSpionage in flip was linked to OilRig exercise, Kaspersky mentioned. The similarities between Lyceum and DNSpionage embody targets in the identical areas, using DNS and pretend web sites to tunnel command and management visitors, and similarities within the paperwork used to lure victims into clicking on malicious attachments.
Along with a abstract of its findings, Kaspersky this week launched a presentation from a latest convention the place it offered technical particulars on Lyceum’s new exercise.