HEXANE
Associated Group Descriptions |
|
Name | Description |
---|---|
Spirlin | (Citation: Accenture Lyceum Targets November 2021) |
Siamesekitten | (Citation: ClearSky Siamesekitten August 2021) |
Lyceum | (Citation: SecureWorks August 2019) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
HEXANE has registered and operated domains for campaigns, often using a security or web technology theme or impersonating the targeted organization.(Citation: SecureWorks August 2019)(Citation: Dragos Hexane)(Citation: ClearSky Siamesekitten August 2021) |
.002 | Acquire Infrastructure: DNS Server |
HEXANE has set up custom DNS servers to send commands to compromised hosts via TXT records.(Citation: Zscaler Lyceum DnsSystem June 2022) |
||
Enterprise | T1110 | .003 | Brute Force: Password Spraying |
HEXANE has used password spraying attacks to obtain valid credentials.(Citation: SecureWorks August 2019) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
HEXANE has used PowerShell-based tools and scripts for discovery and collection on compromised hosts.(Citation: SecureWorks August 2019)(Citation: Kaspersky APT Trends Q1 April 2021)(Citation: Kaspersky Lyceum October 2021) |
.005 | Command and Scripting Interpreter: Visual Basic |
HEXANE has used a VisualBasic script named `MicrosoftUpdator.vbs` for execution of a PowerShell keylogger.(Citation: Kaspersky Lyceum October 2021) |
||
Enterprise | T1586 | .002 | Compromise Accounts: Email Accounts |
HEXANE has used compromised accounts to send spearphishing emails.(Citation: SecureWorks August 2019) |
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
HEXANE has used a Mimikatz-based tool and a PowerShell script to steal passwords from Google Chrome.(Citation: Kaspersky Lyceum October 2021) |
Enterprise | T1585 | .001 | Establish Accounts: Social Media Accounts |
HEXANE has established fraudulent LinkedIn accounts impersonating HR department employees to target potential victims with fake job offers.(Citation: ClearSky Siamesekitten August 2021) |
.002 | Establish Accounts: Email Accounts |
HEXANE has established email accounts for use in domain registration including for ProtonMail addresses.(Citation: Kaspersky Lyceum October 2021) |
||
Enterprise | T1546 | .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
HEXANE has used WMI event subscriptions for persistence.(Citation: Kaspersky Lyceum October 2021) |
Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
HEXANE has used cloud services, including OneDrive, for data exfiltration.(Citation: Microsoft POLONIUM June 2022) |
Enterprise | T1589 | .002 | Gather Victim Identity Information: Email Addresses |
HEXANE has targeted executives, human resources staff, and IT personnel for spearphishing.(Citation: SecureWorks August 2019)(Citation: ClearSky Siamesekitten August 2021) |
Enterprise | T1591 | .004 | Gather Victim Org Information: Identify Roles |
HEXANE has identified executives, HR, and IT staff at victim organizations for further targeting.(Citation: SecureWorks August 2019)(Citation: ClearSky Siamesekitten August 2021) |
Enterprise | T1056 | .001 | Input Capture: Keylogging |
HEXANE has used a PowerShell-based keylogger named `kl.ps1`.(Citation: SecureWorks August 2019)(Citation: Kaspersky Lyceum October 2021) |
Enterprise | T1027 | .010 | Obfuscated Files or Information: Command Obfuscation |
HEXANE has used Base64-encoded scripts.(Citation: Kaspersky Lyceum October 2021) |
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
HEXANE has acquired, and sometimes customized, open source tools such as Mimikatz, Empire, VNC remote access software, and DIG.net.(Citation: Kaspersky Lyceum October 2021)(Citation: SecureWorks August 2019)(Citation: Zscaler Lyceum DnsSystem June 2022) |
Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups |
HEXANE has run `net localgroup` to enumerate local groups.(Citation: Kaspersky Lyceum October 2021) |
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
HEXANE has used remote desktop sessions for lateral movement.(Citation: SecureWorks August 2019) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
HEXANE has used a scheduled task to establish persistence for a keylogger.(Citation: Kaspersky Lyceum October 2021) |
Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
HEXANE has staged malware on fraudulent websites set up to impersonate targeted organizations.(Citation: ClearSky Siamesekitten August 2021) |
Enterprise | T1016 | .001 | System Network Configuration Discovery: Internet Connection Discovery |
HEXANE has used tools including BITSAdmin to test internet connectivity from compromised hosts.(Citation: Kaspersky Lyceum October 2021) |
Enterprise | T1204 | .002 | User Execution: Malicious File |
HEXANE has relied on victim's executing malicious file attachments delivered via email or embedded within actor-controlled websites to deliver malware.(Citation: SecureWorks August 2019)(Citation: Dragos Hexane)(Citation: ClearSky Siamesekitten August 2021)(Citation: Zscaler Lyceum DnsSystem June 2022) |
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
HEXANE has used cloud services, including OneDrive, for C2.(Citation: Microsoft POLONIUM June 2022) |
References
- Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
- Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
- ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
- Dragos. (n.d.). Hexane. Retrieved October 27, 2019.
- SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
- Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022.
- Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
- GReAT . (2021, April 27). APT trends report Q1 2021. Retrieved June 6, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.