March 22, 2024
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]
Rewterz Threat Alert – IcedID banking Trojan – Active IOCs
September 2, 2022
Rewterz Threat Alert – LokiBot Malware – Active IOCs
September 2, 2022
Rewterz Threat Alert – IcedID banking Trojan – Active IOCs
September 2, 2022
Rewterz Threat Alert – LokiBot Malware – Active IOCs
September 2, 2022
Severity
High
Analysis Summary
The Lyceum APT (aka HEXANE, Spirlin) is a cybercriminal group that mainly targets energy organizations and telecommunication in the Middle East. It has expanded on this victim set by identifying additional targets within internet service providers (ISPs) and government agencies. It has been active since 2018. This group has been linked to Iran. Lyceum is a politically motivated nation-state actor that is conducting cyber espionage using two malware families dubbed Shark and Milan. For initial backdoor deployment, the group does Domain name system (DNS) tunneling. The malware is delivered via a phishing email, which contains a malicious link and a weaponized word document. The MFA (Ministry of Foreign Affairs) is a soughtafter target of the threat actor. The group has been deploying “ir_drones.docm” maldoc for infiltration as well.
In 2021, the threat actors launched a massive campaign against ISPs and telecom companies in Israel, Morocco, Tunisia, and Saudi Arabia in 2021.
Researchers discovered a new campaign in June 2022 in which the APT group was using a new.NET-based backdoor to target the Middle East. The code for the DNS backdoor was taken from the “DNS hijacking” open-source program DIG.net.
The researchers’ observations of the attack chain begin with spear-phishing emails that use weaponized Word documents presented as news articles about Iranian military matters.
Impact
- Information Theft and Espionage
Indicators of Compromise
IP
185[.]243[.]112[.]136
MD5
- 3e4a66543f7f858579f153c2c5117b51
SHA-256
- 1e6d7fa1c7a17d4bc9fc939132347ed9d4df4628bfcaa7539d757218ed0b87ff
SHA-1
- d8883fc5c87858c484753fcefa1d4b37032c2fa3
URL
- http[:]//he-express-marketing[.]com/windows-tools/jre-update[.]exe
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Always be suspicious about emails sent by unknown senders.
- Never click on links/ attachments sent by unknown senders.