Middle East cyber-espionage landscape has received a new addition in the form of a new threat group with primary focus on organizations in the oil and gas industry and telecommunication providers. First reports about the group’s activity tracked by cyber-security firms as Lyceum and Hexane have emerged at the beginning of August and according to researchers at ICS security firm Dragos who first documented the attacks, the group uses weaponized documents to drop the malware and compromise the target network. 

Now researchers at SecureWorks released a new report on Lyceum’s techniques, tactics, and procedures. According to report, the Lyceum APT group has been active since at least April 2018, it intensified its activity since early 2019 with an escalation of tensions within the Middle East. To gain initial access to organization’s systems the group uses account credentials obtained via technique known as password spraying or brute-force attacks. Using compromised accounts, the threat actors send spearphishing emails with malicious Excel attachments to deliver the DanBot malware, which subsequently deploys post-intrusion tools. The primary targets of these spearphishing emails are executives, HR staff, and IT personnel in the same organization.

The researchers observed several tools used in the attacks. One of them is a first-stage remote access trojan (RAT) DanBot that provides basic remote access capability, including the abilities to execute arbitrary commands via cmd.exe and to upload and download files. DanBot is delivered using a VBA macro embedded in an Excel XLS file dubbed DanDrop. Other tools used by the group are kl.ps1 (PowerShell-based keylogger) and Get-LAPSP.ps1 (a PowerView-based script from the PowerShell Empire framework).

“Despite the initial perception that the maldoc sample was intended for ICS or OT staff, LYCEUM has not demonstrated an interest in those environments. However, CTU researchers cannot dismiss the possibility that the threat actors could seek access to OT environments after establishing robust access to the IT environment. Access to, and through, the IT environment is often a prerequisite to targeting an OT environment” said the researchers.

Both Dragos and Secureworks didn’t attribute Lyceum/Hexane to any particular country, but Secureworks pointed out that the observed activity resembles MO of such groups as COBALT GYPSY (which is related to OilRig, Crambus, and APT34) and COBALT TRINITY (also known as Elfin and APT33), which previously have been linked by cybersecurity researchers to Iran.