• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – IcedID banking Trojan – Active IOCs
September 2, 2022
Rewterz Threat Alert – LokiBot Malware – Active IOCs
September 2, 2022

Rewterz Threat Alert – Lyceum APT aka HEXANE – Active IOCs

September 2, 2022

Severity

High

Analysis Summary

The Lyceum APT (aka HEXANE, Spirlin) is a cybercriminal group that mainly targets energy organizations and telecommunication in the Middle East. It has expanded on this victim set by identifying additional targets within internet service providers (ISPs) and government agencies. It has been active since 2018. This group has been linked to Iran. Lyceum is a politically motivated nation-state actor that is conducting cyber espionage using two malware families dubbed Shark and Milan. For initial backdoor deployment, the group does Domain name system (DNS) tunneling. The malware is delivered via a phishing email, which contains a malicious link and a weaponized word document. The MFA (Ministry of Foreign Affairs) is a soughtafter target of the threat actor. The group has been deploying “ir_drones.docm” maldoc for infiltration as well.
In 2021, the threat actors launched a massive campaign against ISPs and telecom companies in Israel, Morocco, Tunisia, and Saudi Arabia in 2021. 
Researchers discovered a new campaign in June 2022 in which the APT group was using a new.NET-based backdoor to target the Middle East. The code for the DNS backdoor was taken from the “DNS hijacking” open-source program DIG.net.
The researchers’ observations of the attack chain begin with spear-phishing emails that use weaponized Word documents presented as news articles about Iranian military matters.

Impact

  • Information Theft and Espionage

Indicators of Compromise

IP

185[.]243[.]112[.]136

MD5

  • 3e4a66543f7f858579f153c2c5117b51

SHA-256

  • 1e6d7fa1c7a17d4bc9fc939132347ed9d4df4628bfcaa7539d757218ed0b87ff

SHA-1

  • d8883fc5c87858c484753fcefa1d4b37032c2fa3

URL

  • http[:]//he-express-marketing[.]com/windows-tools/jre-update[.]exe

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on links/ attachments sent by unknown senders.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.