Check point research has reported that Lyceum run and backed by the evil Iranian regime has launched a spear phishing campaign in the wake of Russia's invasion of Ukraine
Lyceum have been active since 2017 and are also known as Hexane. This new spear phishing campaign was discovered when an Israeli energy company received a phishing e-mail from inews-reporter@protonmail.com which opened with title "Russian war crimes in Ukraine" and contained images from open source as well as malicious link.
Once malicious link is clicked a PDF or Word document will appear with open source article from Guardian discussing Russian invasion. Meanwhile a Macro code has download in background of victims machine and executed a .EXE which then stores itself in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup which means that .EXE will not start right away but upon next computer restart, which means user will not be aware that their machine is compromised. In this campaign Lyceum have been spotted using 3 different macro droppers. .NET DNS .NET TCP and GoLang are all used.
Lyceum .NET DNS Macro Code Dropper (Source: Checkpoint)
Each macro dropper works slightly differently. .NET DNS dropper is a modified tool of DNSDig with additional code added to form frm1. .NET TCP creates a C2 communication by using TCP sockets and then implements its own communication protocol. This dropper can then keylog and take screenshots and list all files + programs on a victims machine as well as downloads and upload files. GoLang dropper is different and executes in 3 stages: the first is to generate a unique ID for victim using MD5 hash of username. Then sends empty HTTP POST request to Lyceum controlled C2 server. Malicious server then registers victim onto server and executes similar commands to .NET TCP dropper.
For Checkpoint attribution of this spear phishing and cyber espionage campaign was easy. They targeted Israel energy company as well as Saudi, both key enemies of Iran. They also used Heijden.DNS library which Lyceum have used before as well as ProtonMail and DNS Tunneling.
When will this corrupt Iranian regime stop illegally hacking other nations?? 😡😡
No comments:
Post a Comment