Recently, researchers from Clearsky observed that the Lyceum group has been targeting Israeli organizations via job offer-related lures. Historically, the Iranian threat actor Lyceum has been known for targeting oil, gas, and telecom companies in the Middle East and Africa since 2018.
What was discovered
In the recent campaign that occurred between May and June 2021, the Lyceum group was observed targeting IT and communication companies in Israel, possibly to facilitate supply chain attacks.
The threat actor impersonated HR and employees of renowned Israeli firms such as ChipPc and Software AG to place fake job offers in an attempt to lure potential victims and obtain their companys’ access to clients.
As an initial attack vector, Lyceum uses lure documents including Excel files that provide details about the job offers and the company.
Using the document, attackers attempt to redirect victims to phishing websites that mimic Israeli IT companies. Actors also created fake profiles on LinkedIn to lure job applicants.
Tools used for the attack
According to the report, the threat actor carried out several waves of attacks using several tools, malware, and malicious documents.
In May, the attackers were using an Excel spreadsheet with embedded macros. This would download Milan, a backdoor malware written in C++, on the infected computer.
After infection, it creates a connection with the C&C server using DNS and HTTPS, and downloads a second stage RAT called DanBot.
The attackers collect data from the infected system, carry out espionage, and then spread further across the network.
In the July 2021 attacks, researchers noted that the Milan backdoor was replaced with another new .NET backdoor called Shark.
The main aim of the recent attacks is suspected to be cyberespionage. Moreover, besides obtaining access to client’s internal networks, attackers could launch ransomware attacks further. In either case, security professionals should keep a strict watch on the development of the Lyceum group.