Inside the Lyceum/Hexane malware

The Lyceum/Hexane Cybercrime Group

Lyceum and Hexane are two industry designations for an APT group that was discovered in August 2019 and was operating without detection for at least a year and possibly since April 2018. The Lyceum/Hexane APT focuses their attacks on companies within the oil, gas and telecommunications industries operating in the Middle East.

The Lyceum/Hexane APT’s attacks are primarily focused on extracting user credentials from compromised systems. To accomplish this, they have a multi-stage attack chain with at least five known malicious components.

The Lyceum/Hexane attack chain

The Lyceum/Hexane APT uses a multi-stage attack to infect a target machine. The initial stage is a malicious Microsoft Office document that contains the DanDrop malware. This malware creates a copy of DanBot, a remote access Trojan (RAT) and schedules it to run. With the access and management capabilities provided by DanBot, the APT can drop additional malicious programs (usually PowerShell scripts) on the target machine.

DanDrop

DanDrop is a malware dropper used by the Lyceum/Hexane APT to deliver second-stage malware. It is implemented as a VBA macro commonly embedded within Excel documents. Some of the files used by Lyceum/Hexane include:

  • The Worst Passwords of 2017
  • Top Ten Security Practices
  • A document completely in Arabic

These documents have enticing names for social engineering, and the file is not detected by many antiviruses. Several months after a sample of the malicious document was uploaded to VirusTotal, it only has a 65.7% malicious detection rate by AVs, and several major AVs are among those that do not detect it.

Given a copy of DanDrop, it is possible to safely extract the VBA code from the malware for analysis. One option for doing so is using olevba, which enables parsing of the OLE file format (commonly used by Microsoft Office documents) using (Read more…)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/T2oacUOijZg/