Tracked as Lyceum and SiameseKitten, Hexane was previously seen targeting companies in the oil and gas and telecommunications sectors in the Middle East and Africa.

Recent activity attributed to the Hexane actor, however, shows a change in both targeting and tactics. The group has established large infrastructure that allows it to impersonate known companies, which it has been doing in recent attacks. The group also upgraded its toolset.

A typical attack starts with the attackers identifying both the potential victim and a human resources department employee to impersonate. Next, the adversary establishes a phishing website to impersonate the targeted organization, creates tailored lure files, and sets up a fake LinkedIn profile to impersonate the HR department employee.

The attackers contact the potential victim to make them a job offer and lure the victim to a phishing website, but deploy malware only after additional lure files have been downloaded. The Milan malware is deployed to establish a connection with the infected machine, after which the DanBot RAT is downloaded.

The infected machine is then used to harvest information and conduct espionage, as well as to move laterally within the network.

On the phishing website, Hexane would detail jobs in France, Israel, and the UK. Two lure files are presented to the victim, both designed to deploy a backdoor onto their computer. This operation then continues with the deployment of a RAT onto the same machine.

This dual infection is another development of the group’s attack methods. Tese attacks and their focus on IT and communication companies are intended to facilitate supply chain attacks on their clients. The group’s main goal is to conduct espionage and utilize the infected network to gain access to their clients’ networks.