Researchers have identified a never-before-seen threat group targeting Middle East critical infrastructure organizations with novel malware, sent via spearphishing emails.
The threat group, LYCEUM, was observed in 2019 sending spear phishing emails harboring malicious Microsoft Excel attachments to oil and gas companies. When clicked, the attachments downloaded a newly-discovered malware called DanBot, which subsequently deploys post-intrusion tools to spread across the impacted company’s network, steal credentials and other account information and capture keystrokes on impacted systems.
“LYCEUM appears to have been operating for over a year without detection and it was intriguing to discover a new group with a similar style to established Iranian threat groups, but otherwise no distinguishing technical characteristics that allow it to be linked to previously documented activity,” Rafe Pilling, senior security researcher at Secureworks Counter Threat Unit, told Threatpost.
Researchers believe that LYCEUM has been active as early as April 2018, when domain registrations indicate a campaign was first launched in mid-2018 to focus on South African targets. In February 2019, researchers saw an uptick in development and testing for the threat group’s toolkit against a public multi-vendor malware scanning service; while in May 2019, a campaign was launched against oil and gas targets in the Middle East.
Looking forward, researchers worry that the threat group will expand its targeting to other countries. “LYCEUM is an emerging threat to energy organizations in the Middle East, but organizations should not assume that future targeting will be limited to this sector,” they said. “Critical infrastructure organizations in particular should take note of the threat group’s tradecraft.”
Spearphishing Attack
LYCEUM initially accesses a firm by utilizing account credentials obtained via compromised accounts targeted with password spraying or brute-force attacks.
Attackers then sends out malicious documents via spearphishing attacks containing a training schedule spanning multiple departments. Other earlier campaigns touted malicious documents with a “security best practice” theme.
Using compromised email accounts from within the victim companies, the threat group sent the emails to targeted executives, human resource staff and IT personnel.
“Compromising individual HR accounts could yield information and account access that could be used in additional spearphishing operations within the targeted environment and against associated organizations,” said researchers. “IT personnel have access to high-privilege accounts and documentation that could help the threat actors understand the environment without blindly navigating the network to find data and systems of interest.”
After a victim clicks on the malicious attachment, the DanBot malware is downloaded.
It’s important to note that DanBot is different to DanaBot, a popular banking trojan. The name is just a coincidence, Pilling told Threatpost. It was picked based on PDB strings (an artifact from the software development stage that can sometimes reveal interesting information about the developers system) found in a sample of the malware.
The remote access trojan uses DNS and HTTP-based communication methods and provides basic remote access capability, such as executing arbitrary commands and additional modules and uploading files.
The attack also utilized a custom keylogger (kl.ps1) written in PowerShell to capture window title and keystrokes on injected systems; a component called Decrypt-RDCMan.ps1 to decrypt passwords stored in the RDCMan configuration file (which stores details and encrypted credentials of servers to quickly establish remote desktop sessions); and a PowerShell script (Get-LAPSP.ps1) to gather account information from Active Directory.
While critical infrastructure companies are targeted and industrial control system departments are referenced in the malicious document, researchers say that LYCEYM has not appeared to demonstrate interest in that environment: “However, researchers cannot dismiss the possibility that the threat actors could seek access to OT environments after establishing robust access to the IT environment,” they said. “Access to, and through, the IT environment is often a prerequisite to targeting an OT environment.”
Attribution
Researchers said that as of publication, there is insufficient technical evidence to support an attribution assessment – however, several methods utilized by LYCEUM are indicative of groups such as Cobalt Gypsy, an APT believed to have ties to the Iranian government that has targeted telecommunications, government, defense, oil and financial services firms located in the Middle East and North Africa.
“Stylistically, the observed tradecraft resembles activity from groups such as COBALT GYPSY (which is related to OilRig, Crambus, and APT34) and COBALT TRINITY (also known as Elfin and APT33),” researchers said. “However, none of the collected malware or infrastructure associated with LYCEUM has direct links to observed activity from these or other known threat groups.”
Moving forward researchers warn that companies can protect themselves through implementing two-factor authentication, increasing visibility via endpoint detection, response and logging, and educating employees to beware of potential spearphish email indications.
Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.