Lyceum Hackers Stealing Credentials Windows By Deploy Keylogger Using PowerShell Scripts & .NET RAT

These risk actors are famous for striking companies that deal with energy and telecom sectors throughout the Middle East in early 2018.

The DNS protocol is generally utilized to chat over DNS constructs domains that are released as part of either an A record or TXT type inquiries. And it also sends data to the server by placing it within the domain.

Considering that this trojan does not have any specific method to communicate to a command-and-control (C2) server, so, it may be a brand-new way to do proxy traffic in between internal network clusters..

Apart from the Kevin variant, the James variation is based on a PDB course that is practiced in its samples. Nevertheless, this variant accepts just one dispute in its command line and all of its samples are 32-bit ones.

Turning on the C2 server utilized in the PowerShell scripts drove them to various distinct implants that are written in C++. And all these implants were used by the hazard actors concurrently toward targets in Tunisia..

The Lyceum danger group (aka Hexane) once again started an attack, however this time they have an unusual variant of a remote-access trojan (RAT). This time they are using the PowerShell scripts and.NET RAT to deploy keylogger on the targeted Windows system and take credentials.

Kevin version, DNS procedure, and HTTP protocol.

The security researchers of Kaspersky Lab has actually spotted some finding and reported it at the VirusBulletin VB2021 conference previously this month, where they have actually linked the attacks to a group tracked as Lyceum.

The more the security experts investigated the attack, they discovered lots of crucial details about the features that identify the attack from the other.

The variations that have been discovered till now share an equivalent operation model and the interaction channel is used to drop files in addition to commands to perform or guidelines to transform the malwares configuration..

James version.

The hacking group Lyceum is starting the huge attack and is still active, thats why the experts highly suggested the business to stay alert and always have routine examinations that will help them to discover this sort of attack.

There are some Kevin samples that were being delivered with an interaction channel that conveys information with the C&C as part of HTTP traffic. However, these variants are expected to accomplish a command file from rejoinders to HTTP GET demands that are provided to the server.

Malware implant.

The Kevin alternative appears to describe an extremely brand-new branch of advancement that is revealed in the groups arsenal. The main motive of this variation is to assist in a communication channel that usually moves arbitrary commands that are to be executed by the implant.

All its inquiries checking out the DNS are carried out by using the DnsQuery_A() API rather than performing a subprocess of the nslookup utility.

The group has changed from its earlier.NET malware to brand-new versions composed in C++. In this brand-new variation, there are two clusters of versions, called:-.

These were the names that exist on the systems and were used to put together the malware. The brand-new DanBot versions, support comparable custom-made C2 procedures tunneled over DNS or HTTP, similar to the old one.

Off of.NET, Onto C++.

You can follow us on Linkedin, Twitter, Facebook for day-to-day Cybersecurity updates.