Tunisia's Lyceum Hacker Group Is on The Rise, Warn Cybersecurity Experts

Tunisia’s Lyceum Hacker Group Is on The Rise, Warn Cybersecurity Experts

A threat actor previously linked to attacks on businesses in the energy and telecoms industries across the Middle East has expanded its malware arsenal to include two targets in Tunisia.

The attacks were ascribed to a group identified as Lyceum (aka Hexane), which was first publicly recorded in 2019 by Secureworks, according to Kaspersky security experts.

Aseel Kayal, Mark Lechtik, and Paul Rascagneres presented in their findings that all victims they saw were high-profile Tunisian companies, such as aviation or telecommunications companies.

They inferred that the attackers were interested in compromising such companies in order to follow the activities and conversations of persons of importance to them, based on the industries attacked.

Evaluation of the threat actor’s toolset revealed that the attacks have shifted from embracing a combination of PowerShell scripts and a.NET-based remote administration tool, DanBot, to two new malware variants written in C++ referred to as “James” and “Kevin.”

While the “James” sample is primarily based on the DanBot, “Kevin” features significant architectural and communication protocol modifications. As a result of the public revelation, it appears that the company is attempting to rebuild its attack infrastructure.

Both artifacts, however, enable connection with a remote command-and-server server using custom-designed protocols tunneled over HTTP or DNS, similar to DanBot’s method. Also, the attackers are claimed to have captured keystrokes and stolen credentials saved in web browsers on infected PCs using a proprietary keylogger and a PowerShell script.

According to the Russian cybersecurity provider, the attack methods employed in the campaign against Tunisian firms mirrored approaches previously attributed to hacking activities linked to the DNSpionage group.

It has shown tradecraft parallels with an Iranian threat actor known as OilRig (aka APT34), as well as “strong similarities” between lure papers supplied by Lyceum in 2018-2019 and those used by DNSpionage, according to the report.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.