A threat actor previously linked to attacks on businesses in the energy and telecoms industries across the Middle East has expanded its malware arsenal to include two targets in Tunisia.
Aseel Kayal, Mark Lechtik, and Paul Rascagneres presented in their findings that all victims they saw were high-profile Tunisian companies, such as aviation or telecommunications companies.
They inferred that the attackers were interested in compromising such companies in order to follow the activities and conversations of persons of importance to them, based on the industries attacked.
Evaluation of the threat actor’s toolset revealed that the attacks have shifted from embracing a combination of PowerShell scripts and a.NET-based remote administration tool, DanBot, to two new malware variants written in C++ referred to as “James” and “Kevin.”
While the “James” sample is primarily based on the DanBot, “Kevin” features significant architectural and communication protocol modifications. As a result of the public revelation, it appears that the company is attempting to rebuild its attack infrastructure.
Both artifacts, however, enable connection with a remote command-and-server server using custom-designed protocols tunneled over HTTP or DNS, similar to DanBot’s method. Also, the attackers are claimed to have captured keystrokes and stolen credentials saved in web browsers on infected PCs using a proprietary keylogger and a PowerShell script.
According to the Russian cybersecurity provider, the attack methods employed in the campaign against Tunisian firms mirrored approaches previously attributed to hacking activities linked to the DNSpionage group.
It has shown tradecraft parallels with an Iranian threat actor known as OilRig (aka APT34), as well as “strong similarities” between lure papers supplied by Lyceum in 2018-2019 and those used by DNSpionage, according to the report.