Lyceum/Hexane Threat Group Uses Common Hacking Tactics


A recent threat group concentrating on critical Middle East infrastructure organisations employs easy methods to jeopardize victims and use post-intrusion instruments.

The group at Lyceum first came to public attention earlier this month when ICS Dragos published a short report on the activity of this fresh actor called Hexane. The group was called Hexane.

SecureWorks today published its own Lyceum report, which provides information on the instruments and tactics the group uses.

Both safety undertakings agree that Lyceum / Hexane’s goal is to obtain data, not interrupt activities; and although its activity is comparable to that of other organizations, the infrastructure’s malware indicates no relationship between them.

Common strategies demonstrate effective

SecureWorks scientists are saying that Lyceum relies on spraying passwords and brute-force attacks in order to compromise the emails of people working for a specific organisation.

After the original phase, the hackers send spear-phishing messages to individuals in the business in greater roles. The emails contain malicious Excel tablets which install DanBot–a Trojan Remote Access (RAT) with fundamental capacities.

Another instrument is the PoshC2 Penetration Test Password Decryption Tool ‘ Decrypt-RDCMan.ps1.’ This is used with passwords stored in the RDCMan, a remote desktop connection manager match file.

For collecting information from the Active Directory via LDAP, Lyceum utilizes the second PowerShell script-” Get-LAPSP.ps1. This is started instantly after first access to the target setting.

Besides using its own toolset, Lyceum uses no fancy tactics to achieve its goal. They depend on the prevalent framework of macro, social engineering and safety testing. However, since April 2018, it has been running campaigns, it is efficient in its activities.

Targeting execs, HR, and IT materials

According to scientists, the objectives of Lyceum include managers, employees and IT employees. Persons in these roles receive spear-phishing emails from compromised inner accounts.

“Compromising individual HR accounts could yield information and account access that could be used in additional spearphishing operations within the targeted environment and against associated organizations. IT personnel have access to high-privilege accounts and documentation that could help the threat actors understand the environment without blindly navigating the network to find data and systems of interest.”

Industrial systems (ICS) and Operational Technology (OT) employees do not appear to be among the objectives of this group, although they do not rule out “the chance for threatened actors to seek access to OT settings after solid access to the IT environment.”

Credit: Bleeping computers

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.