Lyceum APT Rebranded it’s Arsenal

New details have been revealed about the Lyceum group also called Hexane. A new set of activities that indicate that the group targeted two entities in Tunisia, while also updating its arsenal.

Lyceum has evolved its arsenal in the past few years and moved away from previously documented .NET malware to new versions written in C++.

The new malware implants are categorized under two different variants James and Kevin after the names repeatedly appeared in the PDB paths of the malware samples. Both variants have similar custom C2 protocols tunneled over HTTP/DNS. 

An unusual variant that did not include any mechanism for network communication. Probably that was used as proxy traffic between two internal network clusters. The group used a PowerShell script created to steal credentials saved in browsers, along with a custom keylogger deployed on a few of the targeted systems.

Similarities coexist between Lyceum’s recent attacks and the infamous DNSpionage campaign, a cluster of activity linked to the OilRig, have also been observed. 

Both the campaigns have similar geographical targeting and use DNS or fake websites to tunnel C2 data as a tactic. There exist similarities between lure documents spread by Lyceum in the past and those used in the DNSpionage campaign. The connection became more profound when common code structure and choices of variable names were detected.

Lyceum is expanding its attack scope, while also retooling its arsenal with new implants. Moreover, researchers suspect that the group will continue to be active, using new and updated malware and TTPs to carry out espionage activities across the Middle East.