A risk actor, earlier regarded for striking organizations in the vitality and telecommunications sectors throughout the Middle East as early as April 2018, has developed its malware arsenal to strike two entities in Tunisia.
Safety researchers at Kaspersky, who introduced their conclusions at the VirusBulletin VB2021 convention before this thirty day period, attributed the assaults to a team tracked as Lyceum (aka Hexane), which was first publicly documented in 2019 by Secureworks.
“The victims we observed had been all large-profile Tunisian organizations, these as telecommunications or aviation organizations,” scientists Aseel Kayal, Mark Lechtik, and Paul Rascagneres in-depth. “Dependent on the targeted industries, we think that the attackers could possibly have been fascinated in compromising this sort of entities to observe the actions and communications of men and women of interest to them.”
Assessment of the menace actor’s toolset has proven that the attacks have shifted from leveraging a combination of PowerShell scripts and a .Web-centered distant administration software referred referred to as “DanBot” to two new malware variants composed in C++ referred to as “James” and “Kevin” owing to the recurring use of the names in the PDB paths of the fundamental samples.
Even though the “James” sample is intensely based on the DanBot, “Kevin” will come with big variations in architecture and communication protocol, with the team predominantly relying on the latter as of December 2020, indicating an endeavor to revamp its assault infrastructure in reaction to community disclosure.
That reported, equally the artifacts support conversation with a distant command-and-server server through personalized-created protocols tunneled over DNS or HTTP, mirroring the exact approach as that of DanBot. In addition, the attackers are also believed to have deployed a tailor made keylogger as effectively as a PowerShell script in compromised environments to history keystrokes and plunder qualifications saved in net browsers.
The Russian cybersecurity vendor mentioned that the attack approaches employed in the marketing campaign towards Tunisian firms resembled tactics previously attributed to hacking functions linked with the DNSpionage team, which, in switch, has exhibited tradecraft overlaps to an Iranian threat actor dubbed OilRig (aka APT34), even though calling out the “major similarities” between entice documents delivered by Lyceum in 2018-2019 and all those employed by DNSpionage.
“With significant revelations on the action of DNSpionage in 2018, as perfectly as more information details that lose gentle on an apparent romance with APT34, […] the latter might have transformed some of its modus operandi and organizational framework, manifesting into new operational entities, equipment and campaigns,” the researchers explained. “Just one these entity is the Lyceum group, which following further more publicity by Secureworks in 2019, experienced to retool still a further time.”