Friday, March 29, 2024

Lyceum Hackers Stealing Credentials Windows By Deploy Keylogger Using PowerShell Scripts & .NET RAT

The Lyceum threat group (aka Hexane) again initiated an attack, but this time they have a weird variant of a remote-access trojan (RAT). This time they are using the PowerShell scripts and .NET RAT to deploy keylogger on the targeted Windows system and steal credentials.

Since this trojan doesn’t have any specific method to communicate to a command-and-control (C2) server, so, it might be a very new way to do proxy traffic between internal network clusters. 

However, these threat actors are famous for striking companies that deal with energy and telecommunications sectors across the Middle East in early 2018.

The security researchers of Kaspersky Lab has detected some finding and reported it at the VirusBulletin VB2021 conference earlier this month, where they have connected the attacks to a group tracked as Lyceum.

Malware implant

Rotating on the C2 server used in the PowerShell scripts drove them to various distinct implants that are written in C++. And all these implants were used by the threat actors concurrently toward targets in Tunisia. 

The more the security experts investigated the attack, they discovered many key details about the features that distinguish the attack from the other.

The variants that have been found till now share a comparable operation model and the communication channel is utilized to drop files along with commands to execute or instructions to transform the malware’s configuration. 

Off of .NET, Onto C++

The group has changed from its earlier .NET malware to very new versions written in C++. In this new variant, there are two clusters of variants, named:-

  • James
  • Kevin

These were the names that are present on the systems and were used to compile the malware. The new DanBot variants, support similar custom C2 protocols tunneled over DNS or HTTP, just like the old one.

Kevin variant, DNS protocol, and HTTP protocol

The ‘Kevin’ variant appears to describe a very new branch of development that is shown in the group’s arsenal. The main motive of this variant is to facilitate a communication channel that generally transfers arbitrary commands that are to be executed by the implant.

The DNS protocol is generally used to chat over DNS constructs domains that are published as part of either an A record or TXT type queries. And it also sends data to the server by inserting it within the domain.

There are some ‘Kevin’ samples that were being shipped with a communication channel that conveys data with the C&C as part of HTTP traffic. However, these variants are expected to accomplish a command file from rejoinders to HTTP GET requests that are issued to the server.

James variant

Apart from the Kevin variant, the James variant is based on a PDB path that is practiced in its samples. However, this variant accepts only one dispute in its command line and all of its samples are 32-bit ones.

Moreover, all its queries reading the DNS are performed by using the DnsQuery_A() API rather than executing a subprocess of the ‘nslookup’ utility.

The hacking group Lyceum is initiating the big attack and is still active, that’s why the experts strongly recommended the companies to stay alert and always have regular checkups that will help them to detect this kind of attack.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.

Website

Latest articles

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles