Lyceum Hackers Stealing Credentials Windows By Deploy Keylogger Using PowerShell Scripts & .NET RAT

The Lyceum risk group (aka Hexane) again started an attack, but this time they have an odd variant of a remote-access trojan (RAT). This time they are using the PowerShell scripts and.NET RAT to release keylogger on the targeted Windows system and steal credentials.

The Kevin variant appears to explain a very brand-new branch of development that is displayed in the groups toolbox. The primary motive of this version is to facilitate an interaction channel that typically transfers arbitrary commands that are to be performed by the implant.

The DNS procedure is generally utilized to chat over DNS constructs domains that are released as part of either an A record or TXT type questions. And it also sends data to the server by placing it within the domain.

You can follow us on Linkedin, Twitter, Facebook for day-to-day Cybersecurity updates.

There are some Kevin samples that were being delivered with a communication channel that communicates data with the C&C as part of HTTP traffic. These variations are expected to achieve a command file from rejoinders to HTTP GET demands that are released to the server.

Apart from the Kevin variant, the James variant is based upon a PDB path that is practiced in its samples. However, this variant accepts just one disagreement in its command line and all of its samples are 32-bit ones.

Moreover, all its queries reading the DNS are carried out by utilizing the DnsQuery_A() API rather than carrying out a subprocess of the nslookup utility.

These threat actors are popular for striking business that deal with energy and telecommunications sectors across the Middle East in early 2018.

The hacking group Lyceum is starting the big attack and is still active, thats why the specialists highly suggested the companies to stay alert and constantly have regular checkups that will help them to find this kind of attack.

The security researchers of Kaspersky Lab has found some finding and reported it at the VirusBulletin VB2021 conference previously this month, where they have actually connected the attacks to a group tracked as Lyceum.

The group has actually altered from its earlier.NET malware to brand-new versions written in C++. In this brand-new version, there are two clusters of versions, called:-.

Off of.NET, Onto C++.

James version.

Because this trojan does not have any particular method to interact to a command-and-control (C2) server, so, it may be a brand-new way to do proxy traffic in between internal network clusters..

The more the security specialists examined the attack, they found lots of crucial information about the functions that differentiate the attack from the other.

The variants that have actually been found till now share an equivalent operation design and the interaction channel is utilized to drop files in addition to commands to execute or guidelines to change the malwares setup..

These were the names that exist on the systems and were utilized to compile the malware. The new DanBot versions, support comparable customized C2 protocols tunneled over DNS or HTTP, similar to the old one.

Malware implant.

Rotating on the C2 server used in the PowerShell scripts drove them to numerous distinct implants that are composed in C++. And all these implants were utilized by the risk actors simultaneously towards targets in Tunisia..

Kevin variant, DNS protocol, and HTTP protocol.