Lyceum Hackers Stealing Credentials Windows By Deploy Keylogger Using PowerShell Scripts & .NET RAT

Because this trojan does not have any specific approach to communicate to a command-and-control (C2) server, so, it might be a really new way to do proxy traffic between internal network clusters..

However, these threat actors are well-known for striking companies that deal with energy and telecommunications sectors throughout the Middle East in early 2018.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.

The Kevin variant appears to describe an extremely new branch of advancement that is revealed in the groups arsenal. The primary motive of this variant is to help with an interaction channel that generally transfers arbitrary commands that are to be executed by the implant.

The DNS protocol is usually used to chat over DNS constructs domains that are published as part of either an A record or TXT type questions. And it likewise sends out information to the server by placing it within the domain.

These were the names that exist on the systems and were utilized to compile the malware. The brand-new DanBot variants, support comparable customized C2 protocols tunneled over DNS or HTTP, just like the old one.

The more the security professionals examined the attack, they discovered many key information about the functions that differentiate the attack from the other.

Apart from the Kevin variation, the James variation is based upon a PDB path that is practiced in its samples. This variant accepts only one disagreement in its command line and all of its samples are 32-bit ones.

Kevin version, DNS protocol, and HTTP protocol.

The hacking group Lyceum is starting the huge attack and is still active, thats why the specialists strongly recommended the business to stay alert and constantly have routine checkups that will assist them to discover this type of attack.

The Lyceum danger group (aka Hexane) once again initiated an attack, but this time they have a weird variant of a remote-access trojan (RAT). This time they are utilizing the PowerShell scripts and.NET RAT to deploy keylogger on the targeted Windows system and take credentials.

Off of.NET, Onto C++.

The group has changed from its earlier.NET malware to very brand-new versions written in C++. In this brand-new version, there are two clusters of variants, called:-.

The versions that have been found till now share a comparable operation model and the interaction channel is used to drop files in addition to commands to carry out or directions to transform the malwares configuration..

The security scientists of Kaspersky Lab has discovered some finding and reported it at the VirusBulletin VB2021 conference earlier this month, where they have connected the attacks to a group tracked as Lyceum.

There are some Kevin samples that were being shipped with an interaction channel that conveys information with the C&C as part of HTTP traffic. These variants are anticipated to accomplish a command file from rejoinders to HTTP GET requests that are released to the server.

James variant.

Furthermore, all its inquiries checking out the DNS are carried out by utilizing the DnsQuery_A() API rather than executing a subprocess of the nslookup energy.

Rotating on the C2 server utilized in the PowerShell scripts drove them to different unique implants that are written in C++. And all these implants were used by the risk actors concurrently towards targets in Tunisia..

Malware implant.