Over the past several months, an Iran-linked threat actor tracked as Hexane has attempted to breach numerous Israeli organizations using supply chain tools, according to a new report from security vendor ClearSky.
Active since at least 2018 and also tracked as Lyceum and SiameseKitten, Hexane was previously seen targeting companies in the oil and gas and telecommunications sectors in the Middle East and Africa.
Recent activity attributed to the Hexane actor, however, shows a change in both targeting and tactics. The group, ClearSky says, has established large infrastructure that allows it to impersonate known companies, which it has been doing in recent attacks. The group also upgraded its toolset.
Following a May 2021 attack on an IT company in Israel, Hexane launched a second wave of assaults in July 2021, this time targeting additional organizations in the country.
In this campaign, a typical attack starts with the attackers identifying both the potential victim and a human resources department employee to impersonate. Next, the adversary establishes a phishing website to impersonate the targeted organization, creates tailored lure files, and sets up a fake LinkedIn profile to impersonate the HR department employee.
Next, the attackers contact the potential victim to make them a job offer and lure the victim to a phishing website, but deploy malware only after additional lure files have been downloaded. The Milan malware is deployed to establish a connection with the infected machine, after which the DanBot RAT is downloaded.
[ Related: Mysterious ‘MeteorExpress’ Wiper Linked to Iranian Train Cyberattack ]
The infected machine is then used to harvest information and conduct espionage, as well as to move laterally within the network.
As ClearSky points out, the campaign is similar to the “dream job” attacks attributed to the North Korean Lazarus group last year, but also to an OilRig (APT34) campaign in the first quarter of 2021.
On the phishing website, Hexane would detail jobs in France, Israel, and the UK. Two lure files are presented to the victim, both designed to deploy a backdoor onto their computer. This operation then continues with the deployment of a RAT onto the same machine.
“This dual infection is another development of the group’s attack methods. We believe that these attacks and their focus on IT and communication companies are intended to facilitate supply chain attacks on their clients. According to our assessment, the group’s main goal is to conduct espionage and utilize the infected network to gain access to their clients’ networks,” ClearSky added.
Related: Iran-Linked Hackers Expand Arsenal With New Android Backdoor
Related: Leaked Files From Offensive Cyber Unit Show Iran’s Interest in Targeting ICS
Related: New Iranian Group ‘Agrius’ Launches Destructive Cyberattacks on Israeli Targets