State hackers breach defense, energy, healthcare orgs worldwide
MediaMarkt hit by Hive ransomware, initial $240 million ransom
REvil ransomware affiliates arrested in Romania and Kuwait
Pwn2Own: Printer plays AC/DC, Samsung Galaxy S21 hacked twice
NUCLEUS:13 TCP security bugs impact critical healthcare devices
TeamTNT hackers target your poorly configured Docker servers
Microsoft: Windows 10 2004 reaches end of service next month
Microsoft urges Exchange admins to patch bug exploited in the wild
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Iran flag
The Iranian state-supported APT known as ‘Lyceum’ (Hexane, Spilrin) targeted ISPs and telecommunication service providers in the Middle East and Africa between July and October 2021.
Apart from Israel, which is permanently in the crosshairs of Iranian hackers, researchers have spotted Lyceum backdoor malware attacks in Morocco, Tunisia, and Saudi Arabia.
In the most recent campaign analyzed in a joint report between researchers at Accenture and Prevailion, Lyceum is seen using two distinct malware families, dubbed Shark and Milan.
The Shark backdoor is a 32-bit executable written in C# and .NET used to execute commands and exfiltrate data from infected systems.
Milan is a 32-bit remote access trojan (RAT) that can retrieve data from the compromised system and exfiltrate it to hosts derived from domain generation algorithms (DGAs).
Both backdoors communicate via DNS and HTTPS with their command and control servers (C2), with Shark also using DNS tunneling.
According to the technical analysis, which revealed a continual refresh of the beacons and payloads, Lyceum appears to be monitoring researchers who are analyzing their malware to update their code and stay ahead of defensive mechanisms.
The most recent build dates are from October 2021, and the researchers point out that at least two of the identified compromises are ongoing.
The analysts managed to map the Lyceum victims by annexing twenty of the actor’s domains and analyzing the telemetry data without taking them down.
The resulting report provides a new list with indicators of compromise (IoCs) and multiple ways to detect the two backdoors, so it has the potential to disrupt Lyceum’s ongoing campaign.
The particular group of hackers is believed to be politically motivated and exclusively interested in cyber espionage rather than causing operational disruption to their targets.
This is why they focus on ISP network intrusions, as compromising high-level service providers is an excellent way to collect valuable intelligence on foreign nations.
“It is unknown if the Milan backdoor beacons are coming from a customer of the Moroccan telecommunication operator or internal systems within the operator,” explains the joint report from Accenture and Prevailion.
“However, since Lyceum has historically targeted telecommunication providers and the Kaspersky team identified recent targeting of telecommunication operators in Tunisia, it would follow that Lyceum is targeting other north African telecommunication companies.”
Although Iran has traditionally kept a hostile stance against Israel, Saudi Arabia, and Morocco, the inclusion of Tunisia in the victimology is seemingly hard to justify, so it’s an interesting find.
Finally, the types of victims and activity timelines match those of operation GhostShell, revealed last month by Cybereason.
Even though the ‘GhostShell’ campaign was most probably orchestrated by a novel APT adversary, it still had links to known Iranian APT groups like Lyceum.
Hackers use stealthy ShellClient malware on aerospace, telco firms
Google sent 50,000 warnings of state-sponsored attacks in 2021
Microsoft: Iran-linked hackers target US defense tech companies
Russian state hackers use new TinyTurla malware as secondary backdoor
State hackers breach defense, energy, healthcare orgs worldwide
Not a member yet? Register Now
MediaMarkt hit by Hive ransomware, initial $240 million ransom
State hackers breach defense, energy, healthcare orgs worldwide
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.