Moving Ahead of Single-Step Password Authentication
August 27, 2019Rewterz Threat Advisory – CVE-2019-9569 – Delta Controls enteliBUS Controllers Code Execution vulnerability
August 30, 2019Moving Ahead of Single-Step Password Authentication
August 27, 2019Rewterz Threat Advisory – CVE-2019-9569 – Delta Controls enteliBUS Controllers Code Execution vulnerability
August 30, 2019Severity
Medium
Analysis Summary
A new group LYCEUM is found focusing on critical infrastructure organizations in the Middle East. It uses simple techniques to compromise targets and deploys post-intrusion tools. Operating since 2018 and having targeted South African targets, LYCEUM has now turned its focus to Oil and Gas companies in the Middle East since April 2019. Also referred to as ‘Hexane’, LYCEUM focuses on collecting information, rather than disrupting operations, according to security experts.
It was found that LYCEUM uses password spraying and brute-force attacks to compromise email accounts of individuals working for their target organization. The attackers send spear-phishing emails to executive level employees of the target organizations carrying malicious Excel spreadsheets that install DanBot – a remote access trojan (RAT) with basic capabilities.
LYCEUM uses the following tools in its attacks:
- DanBot — A first-stage remote access trojan (RAT) that uses DNS and HTTP-based communication mechanisms and provides basic remote access capability, including the abilities to execute arbitrary commands via cmd.exe and to upload and download files
- DanDrop — A VBA macro embedded in an Excel XLS file used to drop DanBot
- kl.ps1 — A PowerShell-based keylogger
- Decrypt-RDCMan.ps1 — Part of the PoshC2 framework
- Get-LAPSP.ps1 — A PowerView-based script from the PowerShell Empire framework
Password spraying, DNS tunneling, social engineering, and abuse of security testing frameworks are common tactics detected to have been in use by attackers targeting Middle Eastern organizations.
Impact
- Information Disclosure
- Accounts compromise
- Possible disruption of Industrial Processes
Indicators of Compromise
IP(s) / Hostname(s)
- 62.113.207[.]181
- 144.217.149[.]61
- 75.87.185[.]45
- 62.113.196[.]37
- 104.149.37[.]44
- 198.50.152[.]162
- 164.132.181[.]82
URLs
- bsolutions-cloude[.]com
- cybersecnet[.]co[.]za
- cybersecnet[.]org
- opendnscloud[.]com
- dnscloudservice[.]com
- dnscachecloud[.]com
- web-traffic[.]info
- web-statistics[.]info
- online-analytic[.]com
- excsrvcdn[.]co
Malware Hash (MD5/SHA1/SH256)
- a8f68c928f82edd8a28c0fd25e207929a7dbce23
- 9df776b9933fbf95e3d462e04729d074
Remediation
- Block the threat indicators at their respective controls.
- Do not respond to emails coming from untrusted sources.
- Do not download email attachments coming from unexpected sources.
- Always scan documents prior to downloading.
- Implement Multi-factor authentication.
- Conduct phishing awareness programs for employees.