Lyceum Hackers Stealing Credentials Windows By Deploy Keylogger Using PowerShell Scripts & .NET RAT

The security researchers of Kaspersky Lab has detected some finding and reported it at the VirusBulletin VB2021 conference earlier this month, where they have connected the attacks to a group tracked as Lyceum.

The Kevin variant appears to explain a brand-new branch of advancement that is shown in the groups toolbox. The main motive of this variation is to facilitate an interaction channel that usually transfers approximate commands that are to be executed by the implant.

The more the security specialists investigated the attack, they discovered lots of essential information about the functions that distinguish the attack from the other.

Given that this trojan does not have any particular technique to communicate to a command-and-control (C2) server, so, it may be a very new method to do proxy traffic between internal network clusters..

These were the names that are present on the systems and were utilized to assemble the malware. The new DanBot variations, assistance similar custom C2 protocols tunneled over DNS or HTTP, simply like the old one.

Malware implant.

Apart from the Kevin variation, the James version is based upon a PDB course that is practiced in its samples. Nevertheless, this variant accepts just one conflict in its command line and all of its samples are 32-bit ones.

You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity updates.

The DNS procedure is normally used to chat over DNS constructs domains that are released as part of either an A record or TXT type queries. And it also sends out information to the server by inserting it within the domain.

Off of.NET, Onto C++.

The Lyceum risk group (aka Hexane) again initiated an attack, however this time they have a weird variation of a remote-access trojan (RAT). This time they are using the PowerShell scripts and.NET RAT to deploy keylogger on the targeted Windows system and take credentials.

Kevin version, DNS procedure, and HTTP protocol.

The hacking group Lyceum is initiating the huge attack and is still active, thats why the specialists highly advised the companies to stay alert and always have regular examinations that will help them to identify this kind of attack.

Rotating on the C2 server utilized in the PowerShell scripts drove them to numerous distinct implants that are written in C++. And all these implants were used by the risk stars concurrently toward targets in Tunisia..

James variation.

Nevertheless, these hazard actors are popular for striking business that deal with energy and telecommunications sectors throughout the Middle East in early 2018.

The group has altered from its earlier.NET malware to extremely new versions written in C++. In this brand-new variant, there are 2 clusters of variations, called:-.

The versions that have actually been discovered till now share a similar operation design and the communication channel is made use of to drop files along with commands to execute or guidelines to transform the malwares setup..

Furthermore, all its queries checking out the DNS are performed by utilizing the DnsQuery_A() API rather than performing a subprocess of the nslookup energy.

There are some Kevin samples that were being delivered with an interaction channel that conveys information with the C&C as part of HTTP traffic. These variants are anticipated to achieve a command file from rejoinders to HTTP GET requests that are issued to the server.