A new group LYCEUM is found focusing on critical infrastructure organizations in the Middle East. It uses simple techniques to compromise targets and deploys post-intrusion tools. Operating since 2018 and having targeted South African targets, LYCEUM has now turned its focus to Oil and Gas companies in the Middle East since April 2019. Also referred to as ‘Hexane’, LYCEUM focuses on collecting information, rather than disrupting operations, according to security experts.
It was found that LYCEUM uses password spraying and brute-force attacks to compromise email accounts of individuals working for their target organization. The attackers send spear-phishing emails to executive level employees of the target organizations carrying malicious Excel spreadsheets that install DanBot – a remote access trojan (RAT) with basic capabilities.
LYCEUM uses the following tools in its attacks:
Password spraying, DNS tunneling, social engineering, and abuse of security testing frameworks are common tactics detected to have been in use by attackers targeting Middle Eastern organizations.
IP(s) / Hostname(s)
Malware Hash (MD5/SHA1/SH256)