Lyceum Hackers Stealing Credentials Windows By Deploy Keylogger Using PowerShell Scripts & .NET RAT

The Lyceum risk group (aka Hexane) again initiated an attack, however this time they have an odd variant of a remote-access trojan (RAT). This time they are using the PowerShell scripts and.NET RAT to deploy keylogger on the targeted Windows system and take qualifications.

Apart from the Kevin variant, the James variation is based upon a PDB path that is practiced in its samples. Nevertheless, this alternative accepts only one conflict in its command line and all of its samples are 32-bit ones.

The DNS procedure is usually used to talk over DNS constructs domains that are published as part of either an A record or TXT type questions. And it likewise sends out information to the server by placing it within the domain.

Malware implant.

The variants that have actually been found till now share a similar operation model and the interaction channel is used to drop files together with commands to carry out or guidelines to change the malwares configuration..

The security researchers of Kaspersky Lab has detected some finding and reported it at the VirusBulletin VB2021 conference earlier this month, where they have linked the attacks to a group tracked as Lyceum.

You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity updates.

Kevin variation, DNS procedure, and HTTP protocol.

These were the names that are present on the systems and were used to put together the malware. The new DanBot variations, assistance similar customized C2 procedures tunneled over DNS or HTTP, similar to the old one.

Rotating on the C2 server used in the PowerShell scripts drove them to different distinct implants that are composed in C++. And all these implants were utilized by the threat actors simultaneously toward targets in Tunisia..

The hacking group Lyceum is initiating the big attack and is still active, thats why the experts strongly suggested the business to stay alert and always have regular checkups that will help them to detect this sort of attack.

There are some Kevin samples that were being delivered with an interaction channel that communicates data with the C&C as part of HTTP traffic. However, these variations are expected to achieve a command file from rejoinders to HTTP GET demands that are provided to the server.

Nevertheless, these danger actors are well-known for striking companies that handle energy and telecom sectors across the Middle East in early 2018.

Off of.NET, Onto C++.

The Kevin alternative appears to describe a brand-new branch of advancement that is shown in the groups arsenal. The primary motive of this variation is to assist in an interaction channel that normally transfers arbitrary commands that are to be performed by the implant.

James version.

The group has actually altered from its earlier.NET malware to brand-new versions written in C++. In this brand-new variation, there are 2 clusters of variants, called:-.

Since this trojan does not have any specific method to communicate to a command-and-control (C2) server, so, it might be a brand-new way to do proxy traffic in between internal network clusters..

All its queries checking out the DNS are carried out by using the DnsQuery_A() API rather than performing a subprocess of the nslookup energy.

The more the security specialists examined the attack, they discovered many crucial details about the functions that differentiate the attack from the other.