Lyceum Hackers Stealing Credentials Windows By Deploy Keylogger Using PowerShell Scripts & .NET RAT

These were the names that are present on the systems and were used to compile the malware. The new DanBot versions, support comparable customized C2 procedures tunneled over DNS or HTTP, similar to the old one.

James variant.

The Lyceum risk group (aka Hexane) once again started an attack, however this time they have a strange version of a remote-access trojan (RAT). This time they are using the PowerShell scripts and.NET RAT to release keylogger on the targeted Windows system and steal qualifications.

There are some Kevin samples that were being shipped with an interaction channel that conveys information with the C&C as part of HTTP traffic. These variations are expected to accomplish a command file from rejoinders to HTTP GET demands that are provided to the server.

Additionally, all its questions reading the DNS are performed by using the DnsQuery_A() API instead of executing a subprocess of the nslookup energy.

The variations that have actually been found till now share a similar operation design and the interaction channel is used to drop files along with commands to execute or guidelines to change the malwares configuration..

Kevin variation, DNS protocol, and HTTP protocol.

The more the security professionals examined the attack, they discovered lots of crucial details about the functions that distinguish the attack from the other.

The Kevin variant appears to describe an extremely new branch of advancement that is shown in the groups arsenal. The main intention of this variation is to help with a communication channel that usually transfers arbitrary commands that are to be carried out by the implant.

The DNS protocol is typically utilized to chat over DNS constructs domains that are released as part of either an A record or TXT type questions. And it likewise sends out data to the server by inserting it within the domain.

The group has changed from its earlier.NET malware to really brand-new variations composed in C++. In this new version, there are 2 clusters of versions, called:-.

Malware implant.

Off of.NET, Onto C++.

The hacking group Lyceum is initiating the huge attack and is still active, thats why the specialists highly recommended the companies to stay alert and constantly have routine checkups that will help them to detect this sort of attack.

These danger stars are popular for striking business that deal with energy and telecommunications sectors throughout the Middle East in early 2018.

Because this trojan doesnt have any particular method to communicate to a command-and-control (C2) server, so, it may be a brand-new way to do proxy traffic in between internal network clusters..

The security scientists of Kaspersky Lab has spotted some finding and reported it at the VirusBulletin VB2021 conference previously this month, where they have connected the attacks to a group tracked as Lyceum.

Apart from the Kevin version, the James variant is based upon a PDB path that is practiced in its samples. This variant accepts only one conflict in its command line and all of its samples are 32-bit ones.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.

Turning on the C2 server used in the PowerShell scripts drove them to different distinct implants that are written in C++. And all these implants were used by the danger actors simultaneously towards targets in Tunisia..