Rewterz Threat Alert – LokiBot Malware – Active IOCs
September 2, 2022Rewterz Threat Advisory – CVE-2022-30190: Follina Vulnerability (MSDT) – Active IOCs
September 2, 2022Rewterz Threat Alert – LokiBot Malware – Active IOCs
September 2, 2022Rewterz Threat Advisory – CVE-2022-30190: Follina Vulnerability (MSDT) – Active IOCs
September 2, 2022Severity
High
Analysis Summary
The Lyceum APT (aka HEXANE, Spirlin) is a cybercriminal group that mainly targets energy organizations and telecommunication in the Middle East. It has expanded on this victim set by identifying additional targets within internet service providers (ISPs) and government agencies. It has been active since 2018. This group has been linked to Iran. Lyceum is a politically motivated nation-state actor that is conducting cyber espionage using two malware families dubbed Shark and Milan. For initial backdoor deployment, the group does Domain name system (DNS) tunneling. The malware is delivered via a phishing email, which contains a malicious link and a weaponized word document. The MFA (Ministry of Foreign Affairs) is a soughtafter target of the threat actor. The group has been deploying “ir_drones.docm” maldoc for infiltration as well.
In 2021, the threat actors launched a massive campaign against ISPs and telecom companies in Israel, Morocco, Tunisia, and Saudi Arabia in 2021.
Researchers discovered a new campaign in June 2022 in which the APT group was using a new.NET-based backdoor to target the Middle East. The code for the DNS backdoor was taken from the “DNS hijacking” open-source program DIG.net.
The researchers’ observations of the attack chain begin with spear-phishing emails that use weaponized Word documents presented as news articles about Iranian military matters.
Impact
- Information Theft and Espionage
Indicators of Compromise
IP
89[.]39[.]149[.]18
MD5
- 29b6b195cf0671901b75b7d2ac6814f6
- 77d5ef3b26138baabf52fd14a0625298
SHA-256
- 8883bbd14017d0946aefd2c6fbc7b2c9b0b6b2439f96125bf4ae1c3d314a03c7
- 50e643e06c1fd6b334668439c1fb734c9d42707f80af2edbcb0e5541513546fe
SHA-1
- 6745f60a8bf6a960d2617e6387f6748e03e13f7a
- ee2e63037f4a7717da62bb0c2c54b1f618d9df42
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Always be suspicious about emails sent by unknown senders.
- Never click on links/ attachments sent by unknown senders.