• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Moving Ahead of Single-Step Password Authentication
August 27, 2019
Rewterz Threat Advisory – CVE-2019-9569 – Delta Controls enteliBUS Controllers Code Execution vulnerability
August 30, 2019

Rewterz Threat Alert – LYCEUM Targeting Energy Sector in the Middle East

August 28, 2019

Severity

Medium

Analysis Summary

A new group LYCEUM is found focusing on critical infrastructure organizations in the Middle East. It uses simple techniques to compromise targets and deploys post-intrusion tools. Operating since 2018 and having targeted South African targets, LYCEUM has now turned its focus to Oil and Gas companies in the Middle East since April 2019. Also referred to as ‘Hexane’, LYCEUM focuses on collecting information, rather than disrupting operations, according to security experts.

It was found that LYCEUM uses password spraying and brute-force attacks to compromise email accounts of individuals working for their target organization. The attackers send spear-phishing emails to executive level employees of the target organizations carrying malicious Excel spreadsheets that install DanBot – a remote access trojan (RAT) with basic capabilities.

LYCEUM uses the following tools in its attacks:

  • DanBot — A first-stage remote access trojan (RAT) that uses DNS and HTTP-based communication mechanisms and provides basic remote access capability, including the abilities to execute arbitrary commands via cmd.exe and to upload and download files
  • DanDrop — A VBA macro embedded in an Excel XLS file used to drop DanBot
  • kl.ps1 — A PowerShell-based keylogger
  • Decrypt-RDCMan.ps1 — Part of the PoshC2 framework
  • Get-LAPSP.ps1 — A PowerView-based script from the PowerShell Empire framework

Password spraying, DNS tunneling, social engineering, and abuse of security testing frameworks are common tactics detected to have been in use by attackers targeting Middle Eastern organizations.

Impact

  • Information Disclosure
  • Accounts compromise
  • Possible disruption of Industrial Processes

Indicators of Compromise

IP(s) / Hostname(s)

  • 62.113.207[.]181
  • 144.217.149[.]61
  • 75.87.185[.]45
  • 62.113.196[.]37
  • 104.149.37[.]44
  • 198.50.152[.]162
  • 164.132.181[.]82


URLs

  • bsolutions-cloude[.]com
  • cybersecnet[.]co[.]za
  • cybersecnet[.]org
  • opendnscloud[.]com
  • dnscloudservice[.]com
  • dnscachecloud[.]com
  • web-traffic[.]info
  • web-statistics[.]info
  • online-analytic[.]com
  • excsrvcdn[.]co

Malware Hash (MD5/SHA1/SH256)

  • a8f68c928f82edd8a28c0fd25e207929a7dbce23
  • 9df776b9933fbf95e3d462e04729d074

Remediation

  • Block the threat indicators at their respective controls.
  • Do not respond to emails coming from untrusted sources.
  • Do not download email attachments coming from unexpected sources.
  • Always scan documents prior to downloading.
  • Implement Multi-factor authentication.
  • Conduct phishing awareness programs for employees.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.