Lyceum Group Targets Two Tunisia-Based EntitiesThe Group Updated Its Malware Arsenal With New Capabilities
Researchers at Kaspersky report that Lyceum group, known for targeting organizations in the energy and telecommunications sectors, has attacked two entities in Tunisia with an updated malware arsenal.
With activity dating back to as early as April 2018, Lyceum, also referred to as Hexane, has targeted telecommunications companies as well as critical systems such as oil and gas organizations in the Middle East, Africa and Central Asia.
"During the past year we were able to reveal a new cluster of the group’s activities in the Middle East. We learned that the group’s latest endeavours are focused on going after entities within one country: Tunisia. The victims we observed were all high-profile Tunisian organizations, such as telecommunications or aviation companies," according to a paper presented earlier this month at the Virus Bulletin International Conference by Kaspersky researchers Aseel Kayal, Mark Lechtik, and Paul Rascagneres.
The researchers found that the group has updated its malware arsenal considerably by rebuilding its toolset. The operators behind Lyceum prefer to take advantage of DNS tunneling, but have now pivoted from .NET payload, referred to as DanBot, to a new C++ backdoor and a PowerShell script.
They also use a .NET remote access Trojan to communicate with the command-and-control server over DNS or HTTP.
"A PowerShell script submitted to VirusTotal in November 2020 helped us follow the more recent tracks of this threat group. The script is obfuscated and Base64-encoded, suggesting that it was perhaps trying to evade detection in a victim’s environment," the researchers note.
Upon deobfuscating, the code shows many comments that were left by the attackers, detailing the process of what the script does and explaining the changes from previous versions.
"Some of the functions were also marked as obsolete, suggesting that this script is possibly a work in progress," the researchers say.
The researchers say that during analysis of the C2 server used in the PowerShell scripts, the attackers use several distinct implants written in C++ concurrently against targets in Tunisia.
"Those were leveraged as general backdoors allowing the attacker to run arbitrary commands and download additional payloads to the victim machines, whereby messages exchanged between the C2 and the implant components used a custom protocol tunneled through DNS or HTTP packets," the researchers note.
The researchers observed samples that could be split into two clusters, with variations in implementation and design.
"As it turns out, the samples within each cluster not only shared code and behavior, but seem to have been derived from sources based in the same directories - e.g., one of the variants had most of its PDBs prefixed with 'c:userskernel’ or ‘c:usersjames,' while the other used the prefix 'c:kevinprojects.' Consequently, we refer to these variants as 'James' and 'Kevin,'" the researchers say.
Further analysis of these clusters revealed features that distinguished them from each other. The James variant was heavily based on the .NET malware referred to as "DanBot" that was formerly described as being in use by the group. The Kevin variant seemed to introduce several changes in architecture and communication protocol.
The researchers say that the Kevin variant is the new branch of development in the group’s arsenal, as the first samples date back to June 2020, based on their compilation timestamps. As of December 2020, however ,a new wave of samples from this variant emerged.
"We assess that the group shifts its focus on the usage of this variant, as it introduces changes in communication protocols and is mostly compiled for 64-bit systems, except for one 32-bit sample we detected," the researchers note.
The variant aims to facilitate a communication channel that passes arbitrary commands to be executed by the implant.
The researchers report that to do this, “The malware requests files that will be created in the file system and written with commands received from the server using a specified format. The contents of the file will be read and interpreted by the implant according to that format, where predefined keywords will be replaced with certain malware-related paths or used to update internal run-time configurations. In turn, the commands will be executed, issuing the response back to the server."
Before any communication happens, however, the variant may bootstrap and prepare the victim environment for its execution through a set of actions common to a lot of its samples, which include hiding the current window from the user using the "ShowWindow" API function, creating a mutex with a lower-case GUID value that is hard-coded in the binary and checking the arguments with which it was executed.
Links To DNSpionage Group
The Kaspersky researchers reported seeing similarities between Lyceum and the infamous DNSpionage group, which, in turn, was associated with the OilRig cluster of activity. The researchers assess, with medium confidence, that the two activities might be connected.
The researchers identified an actual page source that was constructed by the attackers to mimic a benign website, which pretends to correspond to an entity named "Digital Marketing Agency," a provider of consulting and development services to customers in various industries around the world.
"This seems to be further evidence that the attackers are investing a significant amount of effort into concealing the malware-related data inside what appears to be otherwise legitimate content, thus potentially evading detection by both analysts and security products," the researchers note. "Besides similar geographical target choices, and the use of DNS or fake websites to tunnel C&C data as a TTP (tools, tactics and procedures), we were able to trace significant similarities between lure documents delivered by Lyceum in the past and those used by DNSpionage."
In 2018, Cisco Talos first described a DNS attack called DNSpionage. This particular campaign used malware to compromise individual endpoints, but the group behind it also hijacked DNS entries of government agencies to redirect visitors to specific malicious systems (see: Despite Doxing, OilRig APT Group Remains a Threat)
Regardless of the analyses by Talos, CrowdStrike and FireEye, researchers say they could not specifically tie DNSpionage to a particular group. In the OilRig dump, however, Palo Alto’s Unit 42 found a DNSpionage-associated tool called webmask, which appears to be a series of scripts specifically meant to perform DNS hijacking.