Warnings of a rise in Lyceum Hacker Group activities in Tunisia sounded by cybersecurity experts

A threat actor formerly known for targeting energy and telecommunication institutions in the middle east from April 2018 has further progressed their malware tools to target two bodies in Tunisia. 

Researchers from Kaspersky, who displayed their discoveries at the October VirusBulletin 2021 conference, connected the intrusions to a tracked group dubbed ‘Lyceum’ (also known as Hexane), which was first publicly documented in 2019 by Secureworks.  

Researchers Aseel Kayal, Mark Lechtik and Paul Rascagneres expressed that “the victims we observed were all high-profile Tunisian organisations, such as telecommunications or aviation companies”. Furthermore, “based on the targeted industries, we assume that the attackers might have been interested in compromising such entities to track the movements and communications of individuals of interest to them.” 

Observations of the changing toolset used by the group shows that attacks have deviated from simultaneously conducting PowerShell scripts and a NET-based remote administration tool referred to as “DanBot” to two new malware derivations written in C++, assigned the names “James” and “Kevin”. These names are attributed to the two new malware due to the repeated use of the names in the program data base paths of the underlying samples. 

The “James” sample is predominantly based on the DanBot malware, and the “Kevin” sample reflects the changes associated with design and communication protocols. From December 2020, the group largely relied on the changes regarding communication protocols, indicating its effort to renovate its attack infrastructure in a response to public exposure.  

Both of the samples enable communication with a remote command-and-server server by the use of custom constructed protocols passaged over DNS or HTTP, a technique reflective of DanBot. In addition to this, it is believed that attackers have utilized a custom keylogger in conjunction with a PowerShell script in intruded systems to record keystrokes and steal credentials accumulated in web browsers.   

Kaspersky detailed the attack methods implemented against the Tunisian organisations as similar to methods employed among hacking operations connected to the DNSpionage group, methods of which additionally displayed overlaps to an Iranian threat actor known as OilRig (also known as APT34). 

Detailed by the researchers, “with considerable revelations in the activity of DNSpionage in 2018, as well as further data points that shed on an apparent relationship with APT34, […] the latter may have changed some of its modus operandi and organisational structure, manifesting into new operational entities, tools and campaigns”. Further revealed, “one such entity is the Lyceum group, which after further exposure by Secureworks in 2019, had to retool yet another time”.