Lyceum and Hexane's names are infosec designations for the same Advanced Persistent Threat (APT) group of hackers. The criminals had managed to operate under the radar for almost a year before their activities were brought to the surface in August 2019. Lyceum is a highly specialized threat actor that focuses on credential collection and data exfiltration. Their target a very narrow group of organizations located in one specific geographic region - oil, gas, and telecommunications entities that are active in the Middle East.
Lyceum employs a complex attack chain against the selected victim that consists of multiple stages. To gain a foothold within the target's network, the hackers use various social-engineering tactics to deliver poisoned Microsoft Office documents. Some of the documents that cybersecurity researchers have observed to be used by Lyceum are given enticing titles or ones that pique the user's curiosity, such as 'The Worst Passwords of 2017' or 'Top Ten Security Practices.' Other times, the document is written in Arabic entirely, confirming the group's continued focus on the region.
If the user executes the poisoned file, it triggers a malware dropper called DanDrop, which is responsible for the delivery of the actual malware payload in the second stage of the attack. DanDrop is injected into the MS documents as a VBA macro. For the endpoint of the attack, Lyceum uses a Remote Access Trojan (RAT) named DanBot. To communicate with its Command-and-Control (C2, C&C) servers, the RAT malware is seen to be using both the DNS and HTTP protocols.
To expand the scope of its reach within the compromised network, Lyceum can deploy three additional tools in the form of PowerShell scripts - 'kl.ps1' is a custom-build keylogger, 'Get-LAPSP.ps1' exploits LDAP to collect data from Active Directory, and 'Decrypt-RDCMan.ps1,' which is tasked with decrypting credentials stored within the RDCMan configuration file.
Although their activities have been confined to a specific region so far, the hackers from Lyceum have established an attack chain and an effective toolset, which could allow them easily to launch attacks against a broader set of entities.