Lyceum Hackers Stealing Credentials Windows By Deploy Keylogger Using PowerShell Scripts & .NET RAT

The Lyceum threat group (aka Hexane) again initiated an attack, but this time they have a weird variant of a remote-access trojan (RAT). This time they are using the PowerShell scripts and .NET RAT to deploy keylogger on the targeted Windows system and steal credentials.

Since this trojan doesn’t have any specific method to communicate to a command-and-control (C2) server, so, it might be a very new way to do proxy traffic between internal network clusters. 

However, these threat actors are famous for striking companies that deal with energy and telecommunications sectors across the Middle East in early 2018.

The security researchers of Kaspersky Lab has detected some finding and reported it at the VirusBulletin VB2021 conference earlier this month, where they have connected the attacks to a group tracked as Lyceum.

Malware implant

Rotating on the C2 server used in the PowerShell scripts drove them to various distinct implants that are written in C++. And all these implants were used by the threat actors concurrently toward targets in Tunisia. 

The more the security experts investigated the attack, they discovered many key details about the features that distinguish the attack from the other.

The variants that have been found till now share a comparable operation model and the communication channel is utilized to drop files along with commands to execute or instructions to transform the malware’s configuration. 

Off of .NET, Onto C++

The group has changed from its earlier .NET malware to very new versions written in C++. In this new variant, there are two clusters of variants, named:-

  • James
  • Kevin

These were the names that are present on the systems and were used to compile the malware. The new DanBot variants, support similar custom C2 protocols tunneled over DNS or HTTP, just like the old one.

Kevin variant, DNS protocol, and HTTP protocol

The ‘Kevin’ variant appears to describe a very new branch of development that is shown in the group’s arsenal. The main motive of this variant is to facilitate a communication channel that generally transfers arbitrary commands that are to be executed by the implant.

The DNS protocol is generally used to chat over DNS constructs domains that are published as part of either an A record or TXT type queries. And it also sends data to the server by inserting it within the domain.

There are some ‘Kevin’ samples that were being shipped with a communication channel that conveys data with the C&C as part of HTTP traffic. However, these variants are expected to accomplish a command file from rejoinders to HTTP GET requests that are issued to the server.

James variant

Apart from the Kevin variant, the James variant is based on a PDB path that is practiced in its samples. However, this variant accepts only one dispute in its command line and all of its samples are 32-bit ones.

Moreover, all its queries reading the DNS are performed by using the DnsQuery_A() API rather than executing a subprocess of the ‘nslookup’ utility.

The hacking group Lyceum is initiating the big attack and is still active, that’s why the experts strongly recommended the companies to stay alert and always have regular checkups that will help them to detect this kind of attack.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.

Posted by Charlie