Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Report: Iranian APT Hexane Targets Israeli Companies

Over the past several months, an Iran-linked threat actor tracked as Hexane has attempted to breach numerous Israeli organizations using supply chain tools, according to a new report from security vendor ClearSky.

Over the past several months, an Iran-linked threat actor tracked as Hexane has attempted to breach numerous Israeli organizations using supply chain tools, according to a new report from security vendor ClearSky.

Active since at least 2018 and also tracked as Lyceum and SiameseKitten, Hexane was previously seen targeting companies in the oil and gas and telecommunications sectors in the Middle East and Africa.

Recent activity attributed to the Hexane actor, however, shows a change in both targeting and tactics. The group, ClearSky says, has established large infrastructure that allows it to impersonate known companies, which it has been doing in recent attacks. The group also upgraded its toolset.

Following a May 2021 attack on an IT company in Israel, Hexane launched a second wave of assaults in July 2021, this time targeting additional organizations in the country.

In this campaign, a typical attack starts with the attackers identifying both the potential victim and a human resources department employee to impersonate. Next, the adversary establishes a phishing website to impersonate the targeted organization, creates tailored lure files, and sets up a fake LinkedIn profile to impersonate the HR department employee.

Next, the attackers contact the potential victim to make them a job offer and lure the victim to a phishing website, but deploy malware only after additional lure files have been downloaded. The Milan malware is deployed to establish a connection with the infected machine, after which the DanBot RAT is downloaded.

[ Related: Mysterious ‘MeteorExpress’ Wiper Linked to Iranian Train Cyberattack ]

The infected machine is then used to harvest information and conduct espionage, as well as to move laterally within the network.

As ClearSky points out, the campaign is similar to the “dream job” attacks attributed to the North Korean Lazarus group last year, but also to an OilRig (APT34) campaign in the first quarter of 2021.

On the phishing website, Hexane would detail jobs in France, Israel, and the UK. Two lure files are presented to the victim, both designed to deploy a backdoor onto their computer. This operation then continues with the deployment of a RAT onto the same machine.

“This dual infection is another development of the group’s attack methods. We believe that these attacks and their focus on IT and communication companies are intended to facilitate supply chain attacks on their clients. According to our assessment, the group’s main goal is to conduct espionage and utilize the infected network to gain access to their clients’ networks,” ClearSky added.

Related: Iran-Linked Hackers Expand Arsenal With New Android Backdoor

Related: Leaked Files From Offensive Cyber Unit Show Iran’s Interest in Targeting ICS

Related: New Iranian Group ‘Agrius’ Launches Destructive Cyberattacks on Israeli Targets

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.