Lyceum/Hexane threat actor group targets oil and gas organizations in Middle East

• Lyceum/Hexane targets employees such as executives, human resources and IT staff working for a targeted organization.
• The malicious tools used by the group include DanaBot, Dandrop, Kl.ps1, Decrypt-RDCMan.ps1, and Get-LAPSP.ps1.

Lyceum, also known as Hexane is a threat actor group that targets critical infrastructure organizations such as oil and gas and telecommunications in the Middle East.

More details about the threat group

SecureWorks has released a report on Lyceum threat group, describing the threat group’s targets as well as the tools and techniques used by them.

According to SecureWorks, LYCEUM has been active since April 2018, targeting South African organizations in mid-2018. In May 2019, the threat group launched a campaign against oil and gas organizations in the Middle East.

What are the group’s targets?

Lyceum/Hexane targets employees such as executives, human resources and IT staff working for a targeted organization. The threat group relies on password spraying and brute-force attacks to compromise email accounts of targeted organizations’ employees.

Lyceum threat group then distributes malicious documents via spearphishing from the compromised employee email accounts to the targeted executives, human resources (HR) staff, and other IT personnel.

“The recipient is more likely to open a message if it originates from an internal address. Compromising individual HR accounts could yield information and account access that could be used in additional spearphishing operations within the targeted environment and against associated organizations,” said the researchers in a report.

What tools are used by the group?

Lyceum, aka Hexane uses various malicious tools such as:

• DanaBot, a first-stage remote access trojan
• Dandrop, a malware dropper used to deliver DanaBot
• Kl.ps1, a custom keylogger
• Decrypt-RDCMan.ps1, and
• Get-LAPSP.ps1, a PowerShell script

Lyceum’s infrastructure

The threat group has registered its infrastructure using the PublicDomainRegistry.com, Web4Africa, and Hosting Concepts B.V. registrars. It’s Command and Control (C&C) servers typically have a security or web technology theme.

Connections with other threat groups

Researchers observed similar activities from other threat groups such as COBALT GYPSY (which is related to OilRig, Crambus, and APT34) and COBALT TRINITY aka Elfin and APT33. However, none of Lyceum’s tools or infrastructure has direct links to observed activity from these threat groups.

The bottom line

Lyceum is an emerging threat actor group that primarily targets oil and gas organizations in the Middle East, however, the threat group might also expand its targets to the other sectors.

“LYCEUM is an emerging threat to energy organizations in the Middle East, but organizations should not assume that future targeting will be limited to this sector. Critical infrastructure organizations in particular should take note of the threat group’s tradecraft,” researchers concluded.