The Lyceum hackers are a criminal group that was found to be be coordinating attacks against high-profile targets in the Middle East. The activities of the group were under investigation by security experts and released to the public. From the reports we know that the main goal of the Lyceum hackers is to infect oil and gas companies and organizations.
Oil and Gas Organizations Are Targeted By The Lyceum Hackers
The Lyceum hackers are a dangerous cooperative of computer criminals which are currently targeting Middle East targets, specifically oil and gas enterprises. The latest movements of the collective appears to be set on gathering intelligence data rather than any direct sabotage as seen with other groups. The group has been active since at least early April 2019 and their campaign last year was done primarily against South African targets. This year the major attack which was conducted in May testing a new hacking tool developed by the group.
The use of their custom solution is done by first engaging in typical distribution tactics. The hackers use brute force attempts and password spraying to break in the email inboxes of the companies. When they have infiltrated them using an automated solution the criminals will use the inboxes as senders of phishing emails. They are sent to other mailbox holders along with attached malware Excel spreadsheets files. When they are opened the macros will deliver a custom threat known as the DanBot malware which will be used to deploy other dangerous packages.
This is a first-stage Trojan which will take advantage of the basic infection techniques in order to provide basic remote access capabilities. They include the receiving of commands from the hackers and the execution of commands, as well as file transfer operations.
An associate component of the Lyceum hackers toolkit is the DanDrop script which is the infection component which acts as the trigger and mechanism for the actual Trojan. Three other components are part of the toolkit used by the hackers:
- Keylogger — This is a PowerShell-based keylogger which is used to record the user input on the infected hosts.
- Command and Control Infrastructure — This module will be used to command the server connection process.
- PowerShell Empire Framework — This is a PowerShell-based script which is used to commit various attacks.
When the Lyceum hackers have been able to penetrate the target devices they can execute various actions and perform common operations such as the following:
- Data Theft — The scripts can be commanded to steal sensitive information from the infected computers. It can be either data that can expose the identity of the victims which can lead to crimes such as identity theft, blackmail and financial abuse. If machine information is acquired it can be used to expose
- System Changes — By using the scripts and built-in capabilities the Lyceum hackers can modify the settings and configuration files of the system leading to serious issues, data loss and unexpected errors.
- Additional Malware Delivery — By using the script the hackers can deliver other malware to the infected hosts.
What’s dangerous about these attacks is that if they are successful they can lead to a very dangerous and quick network-wide compromise of enterprise hosts. For this reason we urge system administrators to closely monitor the activity of their servers and gateway devices and protect them from any forthcoming attacks.