Lyceum Hackers Stealing Credentials Windows By Deploy Keylogger Using PowerShell Scripts & .NET RAT

The DNS protocol is usually used to chat over DNS constructs domains that are released as part of either an A record or TXT type inquiries. And it also sends data to the server by placing it within the domain.

The Kevin variant appears to explain a brand-new branch of advancement that is displayed in the groups toolbox. The main motive of this version is to facilitate a communication channel that usually transfers approximate commands that are to be performed by the implant.

Furthermore, all its queries reading the DNS are carried out by utilizing the DnsQuery_A() API instead of performing a subprocess of the nslookup utility.

James variant.

You can follow us on Linkedin, Twitter, Facebook for day-to-day Cybersecurity updates.

Kevin variation, DNS protocol, and HTTP procedure.

These threat actors are well-known for striking companies that deal with energy and telecommunications sectors across the Middle East in early 2018.

Malware implant.

The group has changed from its earlier.NET malware to extremely brand-new variations written in C++. In this brand-new version, there are two clusters of variants, named:-.

The variations that have been found till now share an equivalent operation model and the interaction channel is used to drop files together with commands to perform or instructions to transform the malwares configuration..

There are some Kevin samples that were being shipped with a communication channel that communicates information with the C&C as part of HTTP traffic. These variants are anticipated to accomplish a command file from rejoinders to HTTP GET requests that are provided to the server.

The more the security specialists examined the attack, they found lots of key information about the features that distinguish the attack from the other.

The hacking group Lyceum is initiating the huge attack and is still active, thats why the specialists highly suggested the companies to stay alert and always have routine checkups that will help them to spot this type of attack.

The Lyceum hazard group (aka Hexane) again started an attack, however this time they have a weird version of a remote-access trojan (RAT). This time they are using the PowerShell scripts and.NET RAT to release keylogger on the targeted Windows system and steal credentials.

Apart from the Kevin variant, the James variant is based upon a PDB path that is practiced in its samples. Nevertheless, this variant accepts only one conflict in its command line and all of its samples are 32-bit ones.

These were the names that are present on the systems and were used to compile the malware. The brand-new DanBot versions, assistance similar customized C2 procedures tunneled over DNS or HTTP, simply like the old one.

Turning on the C2 server used in the PowerShell scripts drove them to different distinct implants that are composed in C++. And all these implants were used by the threat stars concurrently towards targets in Tunisia..

The security scientists of Kaspersky Lab has spotted some finding and reported it at the VirusBulletin VB2021 conference earlier this month, where they have linked the attacks to a group tracked as Lyceum.

Off of.NET, Onto C++.

Since this trojan does not have any particular method to interact to a command-and-control (C2) server, so, it may be a brand-new way to do proxy traffic in between internal network clusters..