Lyceum, a previously known threat actor associated with targeted attacks on organizations in the Middle East, has resurfaced with new malware and tactics similar to those used by a dangerous advanced persistent threat (APT) group operating out of Iran.
Security researchers at Kaspersky said they observed the new Lyceum activity focused on two entities in Tunisia. The security vendor’s analysis of the attacks showed Lyceum has evolved its malware from the previous PowerShell scripts and a .NET-based remote administration tool called DanBot and to new malware written in C++.
Kaspersky has separated the new malware into two groups or variants, one dubbed James and the other Kevin, based on names the security vendor frequently came across in the malicious code. Both new variants — like DanBot — are designed to communicate with their command-and-control servers over secure DNS and HTTP tunneling, making the malicious activity hard to detect.
In addition to the new James and Kevin malware variants, Kaspersky also observed Lyceum using another tool in its recent attacks that appears not to contain any mechanism for network communications. The company surmised the malware is likely designed to proxy traffic between internal systems on an already compromised network. Also new in Lyceum’s toolkit is a PowerShell script for stealing user credentials from browsers, as well as a custom keylogger that appears designed for the same purpose.
“Our investigation into Lyceum has shown that the group has evolved its arsenal over the years and shifted its usage” from previously documented malware to new tools, Kaspersky said in a report summarizing Lyceum’s new activity this week.
Lyceum first appeared on the radar in August 2019 when Secureworks reported observing the group targeting organizations in the oil and gas and telecommunications sectors in the Middle East. The security vendor at the time described the threat group as likely having been active since at least April 2018 based on domain registrations connecting Lyceum attacks on South African targets.
Secureworks said its investigation showed that Lyceum typically gained initial access to target networks using account credentials the group managed to previously acquire through password-spraying or brute-force attacks. The group’s tactics, techniques, and procedures (TTPs) resembled those used by other groups focused on strategically important Middle Eastern targets, such as OilRig (aka APT34) and Cobalt Trinity (aka APT33 and Elfin). However, the similarities were not strong enough to support a direct connection between Lyceum and the other threat groups, Secureworks noted.
Kaspersky this week reiterated those similarities, but like Secureworks stopped short of making any direct connections between Lyceum’s activities and those of previously known Iranian threat actors. According to the company, its analysis showed certain high-level similarities between Lyceum’s activities and those of another threat actor called DNSpionage that in 2018 was observed attacking targets in Lebanon and the United Arab Emirates using DNS redirects. DNSpionage in turn was linked to OilRig activity, Kaspersky said. The similarities between Lyceum and DNSpionage include targets in the same areas, the use of DNS and fake websites to tunnel command and control traffic, and similarities in the documents used to lure victims into clicking on malicious attachments.
In addition to a summary of its findings, Kaspersky this week released a presentation from a recent conference where it provided technical details on Lyceum’s new activity.