Lyceum Hackers Stealing Credentials Windows By Deploy Keylogger Using PowerShell Scripts & .NET RAT

There are some Kevin samples that were being shipped with an interaction channel that conveys data with the C&C as part of HTTP traffic. However, these variations are expected to accomplish a command file from rejoinders to HTTP GET requests that are provided to the server.

Since this trojan doesnt have any specific technique to communicate to a command-and-control (C2) server, so, it might be a brand-new method to do proxy traffic in between internal network clusters..

You can follow us on Linkedin, Twitter, Facebook for day-to-day Cybersecurity updates.

The hacking group Lyceum is starting the big attack and is still active, thats why the professionals strongly advised the companies to remain alert and constantly have routine examinations that will help them to discover this type of attack.

The security scientists of Kaspersky Lab has actually detected some finding and reported it at the VirusBulletin VB2021 conference earlier this month, where they have connected the attacks to a group tracked as Lyceum.

The DNS protocol is typically used to talk over DNS constructs domains that are released as part of either an A record or TXT type queries. And it also sends data to the server by placing it within the domain.

The Lyceum danger group (aka Hexane) once again initiated an attack, however this time they have a strange variant of a remote-access trojan (RAT). This time they are utilizing the PowerShell scripts and.NET RAT to release keylogger on the targeted Windows system and take credentials.

Apart from the Kevin version, the James variation is based on a PDB course that is practiced in its samples. This variant accepts only one conflict in its command line and all of its samples are 32-bit ones.

Rotating on the C2 server utilized in the PowerShell scripts drove them to different distinct implants that are composed in C++. And all these implants were used by the hazard stars simultaneously towards targets in Tunisia..

Off of.NET, Onto C++.

These danger actors are well-known for striking companies that deal with energy and telecommunications sectors throughout the Middle East in early 2018.

Malware implant.

These were the names that are present on the systems and were used to put together the malware. The brand-new DanBot versions, assistance comparable custom-made C2 procedures tunneled over DNS or HTTP, just like the old one.

Kevin variant, DNS protocol, and HTTP procedure.

Additionally, all its queries reading the DNS are performed by utilizing the DnsQuery_A() API instead of carrying out a subprocess of the nslookup energy.

The more the security experts investigated the attack, they found numerous key information about the functions that differentiate the attack from the other.

The versions that have been found till now share an equivalent operation design and the interaction channel is used to drop files together with commands to perform or guidelines to transform the malwares configuration..

James version.

The group has changed from its earlier.NET malware to brand-new variations composed in C++. In this new variation, there are 2 clusters of variations, called:-.

The Kevin variant appears to describe a brand-new branch of advancement that is revealed in the groups arsenal. The primary intention of this variation is to assist in a communication channel that typically transfers arbitrary commands that are to be carried out by the implant.