Home Malware Programs Advanced Persistent Threat (APT) Lyceum APT

Lyceum APT

Posted: October 8, 2020

The Lyceum APT is a threat actor that hacks targets related to telecommunications media, oil, and gas industries in the Middle East preferentially. Their attacks regularly involve deploying password collectors and Remote Access Trojans through corrupted, e-mailed documents. Users should protect themselves by the usual methods, such as disabling macros and updating software and let automated security tools remove the Lyceum APT's Trojans and spyware as they're identifiable.

Spying Trojans Bulking Up at the Gymnasium

Alternately referred to as the Lyceum APT or Hexane, this group of hackers bears both naming themes after the ancient Greek institution of gymnasium facilities and a prominent chemical component of gasoline. The latter is especially apropos due to the Lyceum APT's observed targets, which, regularly, include companies operating in the oil energy sector. With the Middle East being mainly at risk from any attackers under this umbrella, it behooves employees to familiarize themselves moderately with their network-compromising strategies.

Like so many business database-breaching threat actors, the Lyceum APT uses e-mail as its phishing method of choice. Victims may click on spreadsheets or documents with disguises such as recommended security practice guidelines or lists of weak passwords to avoid. These attachments contain exploits that, typically, deliver a first-stage Trojan dropper like DanDrop, which installs a more comprehensive threat, a Remote Access Trojan or RAT.

Both DanDrop and its second-stage payload, DanBot, are custom, in-house Trojans that malware researchers haven't seen in the hands of other hacking groups. Initially, DanBot passes along Base64-encoded system statistics to the Lyceum APT's Command & Control server via DNS and makes additional HTTP requests. These requests imitate a Firefox user agent for obfuscation, connect to seemingly-random-generated URLs, and authorize the installation with a custom password.

Remote Access Trojans like DanBot can provide attackers with a user-friendly UI for accessing the computer remotely and unobtrusively, through which they may transfer files, change system settings, install other threats, etc. Malware experts also note that there are other, recurring threats in most of the Lyceum APT's attacks, all of which bear the hallmarks of spyware: a keyboard input-recording keylogger, a data collector and a password and other credentials decryptor.

Putting Off a Workout with Software Spies

The Lyceum APT's latest Trojan software offerings are dodging detection from roughly one-third of all AV vendors, as of October. Overall, however, their methodology isn't very different from other Advanced Persistent Threats like the Turla APT, Hangover or the Ke3chang APT. Workers should be cautious around e-mails without definitely-safe attachments or links particularly and should scan all downloads before opening files. Enabling macros or leaving office suite software out-of-date are two additional vulnerabilities that malware experts recommend remedying without delay.

Users also should be aware of the risk of passwords and other credentials in possession of the Lyceum APT, post-infection. This emphasis on compromising login data makes rapid network traversal almost inevitably in typical scenarios. Quarantining infected systems from all network connections and shared devices and changing passwords are the bare minimum necessary countermeasures.

The Lyceum APT has limited interest in hacking targets outside of Middle Eastern nations currently and displays a moderate familiarity with Arabic linguistics. However, its techniques and tools are applicable elsewhere, and all users should have up-to-date security products for flagging and removing the Lyceum APT's threats.

If not very creative, the Lyceum APT is a well-run organization with competent programmers at the wheel, capable of eluding even polished, dedicated AV vendors' heuristics temporarily. Their existence is a pointed underline on the enduring value of the energy and telecommunications industries to bad actors.

Loading...