A blog post from Secureworks’ Cyber Threat Unit Research Team has shined a light on the activities of a threat group gaining traction. The group, dubbed Lyceum by Secureworks researchers, was first discovered around May 2019 but is thought to have flown under the radar. According to CTU researcher calculations, Lyceum began their activity most likely around April 2018.
Lyceum focuses their attacks on “sectors of strategic national importance, including oil and gas and possibly telecommunications,” and data shows their attacks are now focusing on the Middle East. Lyceum’s methods are not the most finessed but are certainly effective. The threat group initially gains access to an organization by stealing account credentials through password spraying or brute-forcing. Once in, Lyceum begins sending spear-phishing emails in large quantities in hopes of infecting the network with DanBot malware. DanBot, once released, unleashes numerous post-exploitation tools. The tools are mostly PowerShell-based, including kl.ps1 which is a PowerShell keylogger.
Secureworks states the following about DanBot:
A first-stage remote access trojan (RAT) that uses DNS and HTTP-based communication mechanisms and provides basic remote access capability, including the abilities to execute arbitrary commands via cmd.exe and to upload and download files… The DNS channel of DanBot’s C2 protocol uses both IPv4 A records and IPv6 AAAA records for communication. The HTTP channel has evolved slightly since the early 2018 samples but retains common elements throughout.
It is not known at this time what is driving Lyceum to target Middle Eastern energy companies. Before this, they were focused on targets in South Africa, so political motives via nation-states or cyberterrorism can likely be ruled out. At this point, it is pure conjecture what Lyceum’s motives are, but regardless of this, energy companies, in particular, should beef up their security protocols in anticipation of Lyceum’s attacks.
Featured image: Flickr / Jonathan Cutrer
