Lyceum Hackers Stealing Credentials Windows By Deploy Keylogger Using PowerShell Scripts & .NET RAT

The more the security professionals examined the attack, they discovered lots of crucial details about the features that distinguish the attack from the other.

However, these danger actors are popular for striking business that handle energy and telecom sectors throughout the Middle East in early 2018.

Off of.NET, Onto C++.

Rotating on the C2 server used in the PowerShell scripts drove them to numerous unique implants that are composed in C++. And all these implants were utilized by the risk actors simultaneously towards targets in Tunisia..

The Lyceum risk group (aka Hexane) again started an attack, however this time they have a strange variation of a remote-access trojan (RAT). This time they are utilizing the PowerShell scripts and.NET RAT to deploy keylogger on the targeted Windows system and steal qualifications.

The variations that have been discovered till now share a comparable operation model and the communication channel is utilized to drop files in addition to commands to execute or directions to transform the malwares configuration..

Kevin version, DNS procedure, and HTTP procedure.

James version.

All its queries checking out the DNS are performed by using the DnsQuery_A() API rather than carrying out a subprocess of the nslookup utility.

There are some Kevin samples that were being shipped with a communication channel that conveys data with the C&C as part of HTTP traffic. These versions are anticipated to accomplish a command file from rejoinders to HTTP GET requests that are provided to the server.

These were the names that are present on the systems and were used to put together the malware. The new DanBot variants, support comparable customized C2 procedures tunneled over DNS or HTTP, just like the old one.

The hacking group Lyceum is starting the big attack and is still active, thats why the experts strongly recommended the business to remain alert and constantly have routine examinations that will help them to detect this type of attack.

The Kevin alternative appears to explain an extremely brand-new branch of advancement that is revealed in the groups arsenal. The main intention of this variant is to facilitate an interaction channel that usually transfers arbitrary commands that are to be executed by the implant.

You can follow us on Linkedin, Twitter, Facebook for day-to-day Cybersecurity updates.

Apart from the Kevin variant, the James version is based on a PDB path that is practiced in its samples. However, this alternative accepts only one conflict in its command line and all of its samples are 32-bit ones.

The group has changed from its earlier.NET malware to very brand-new versions written in C++. In this brand-new version, there are two clusters of versions, named:-.

The DNS protocol is normally used to talk over DNS constructs domains that are released as part of either an A record or TXT type questions. And it also sends information to the server by placing it within the domain.

The security researchers of Kaspersky Lab has spotted some finding and reported it at the VirusBulletin VB2021 conference earlier this month, where they have actually connected the attacks to a group tracked as Lyceum.

Malware implant.

Considering that this trojan doesnt have any specific method to communicate to a command-and-control (C2) server, so, it may be a brand-new way to do proxy traffic between internal network clusters..