Lyceum Hackers Stealing Credentials Windows By Deploy Keylogger Using PowerShell Scripts & .NET RAT

Nevertheless, these threat actors are well-known for striking companies that deal with energy and telecommunications sectors across the Middle East in early 2018.

Kevin version, DNS protocol, and HTTP procedure.

Off of.NET, Onto C++.

The DNS procedure is usually used to talk over DNS constructs domains that are published as part of either an A record or TXT type inquiries. And it also sends out information to the server by inserting it within the domain.

The hacking group Lyceum is initiating the big attack and is still active, thats why the specialists highly suggested the companies to remain alert and always have routine checkups that will assist them to detect this type of attack.

James version.

The more the security experts investigated the attack, they found lots of essential information about the functions that identify the attack from the other.

There are some Kevin samples that were being delivered with an interaction channel that communicates data with the C&C as part of HTTP traffic. These variations are expected to accomplish a command file from rejoinders to HTTP GET demands that are provided to the server.

The Kevin variant appears to explain a really new branch of development that is displayed in the groups arsenal. The main motive of this variant is to assist in a communication channel that usually transfers approximate commands that are to be carried out by the implant.

Given that this trojan doesnt have any specific method to communicate to a command-and-control (C2) server, so, it might be a brand-new method to do proxy traffic between internal network clusters..

The group has actually changed from its earlier.NET malware to brand-new variations written in C++. In this new variant, there are two clusters of variations, called:-.

Malware implant.

These were the names that are present on the systems and were utilized to compile the malware. The new DanBot versions, support comparable custom C2 procedures tunneled over DNS or HTTP, similar to the old one.

All its queries checking out the DNS are performed by using the DnsQuery_A() API rather than carrying out a subprocess of the nslookup energy.

Apart from the Kevin variation, the James variant is based upon a PDB path that is practiced in its samples. However, this alternative accepts just one disagreement in its command line and all of its samples are 32-bit ones.

The security researchers of Kaspersky Lab has actually found some finding and reported it at the VirusBulletin VB2021 conference previously this month, where they have actually connected the attacks to a group tracked as Lyceum.

Turning on the C2 server utilized in the PowerShell scripts drove them to numerous distinct implants that are written in C++. And all these implants were used by the danger stars concurrently toward targets in Tunisia..

You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity updates.

The Lyceum risk group (aka Hexane) once again started an attack, however this time they have a strange version of a remote-access trojan (RAT). This time they are utilizing the PowerShell scripts and.NET RAT to release keylogger on the targeted Windows system and steal credentials.

The variants that have been found till now share an equivalent operation design and the communication channel is utilized to drop files together with commands to perform or guidelines to change the malwares configuration..