Security researchers from Secureworks have analyzed several tools used by the Hexane threat actor in attack campaigns against industrial organizations over the past several months.
Secureworks, which calls the group Lyceum, notes that the actor’s activity resembles that of established groups such as Iran-linked COBALT GYPSY (related to OilRig, Crambus, and APT34) and COBALT TRINITY (also known as Elfin and APT33), but says that the collected malware and infrastructure are not connected.
Active since at least mid-2018, Hexane has been targeting industrial control systems (ICS) related entities in the oil and gas and telecommunications sectors in the Middle East, industrial cybersecurity firm Dragos revealed earlier this month.
The group shows similarities with previously detailed threat groups, including MAGNALLIUM and CHRYSENE, but the security firm believes the actor is a unique entity, mostly focused on targets in the critical infrastructure.
The attackers were observed compromising an organization through account credentials obtained via password spraying or brute-force attacks. At the next step, the group sent spear-phishing emails containing malicious Excel attachments designed to deliver a backdoor that can drop additional tools.
Dubbed DanBot, the first-stage remote access Trojan (RAT) employs DNS and HTTP-based communications and has basic capabilities, such as command execution via cmd.exe and the upload and download of files.
Other tools associated with Haxane include DanDrop (a VBA macro to drop DanBot), kl.ps1 (a PowerShell-based keylogger), Decrypt-RDCMan.ps1 (part of the PoshC2 penetration testing framework), and Get-LAPSP.ps1 (a PowerView-based script from the PowerShell Empire framework).
Written in C# using .NET Framework 2.0, DanBot uses both IPv4 A records and IPv6 AAAA records for communication with the command and control (C&C) server via its DNS channel. The malware’s code shows typos that could facilitate network detection for the HTTP-based elements of the C&C protocol.
The kl.ps1 keylogger can capture the window title and keystrokes on infected systems. Deployed via a scheduled task and a VBScript file, it stores gathered data Base64-encoded.
Decrypt-RDCMan.ps1 is used to decrypt passwords stored in the RDCMan configuration file, which stores server details and encrypted credentials to establish remote desktop sessions. The actor was observed deploying the tool within one hour after initial access, likely looking to gain additional access.
Get-LAPSP.ps1 is used to gather account information from Active Directory via LDAP and appears to contain borrowed code.
Analysis of a malicious document used in one attack revealed that, although it appeared addressed to individuals working with ICS or operational technology (OT), it was in fact intended for executives, human resources (HR) staff, and IT personnel, to gather data and set up for additional spear-phishing operations within the targeted environment.
“Despite the initial perception that the maldoc sample was intended for ICS or OT staff, LYCEUM has not demonstrated an interest in those environments. However, […] the threat actors could seek access to OT environments after establishing robust access to the IT environment. Access to, and through, the IT environment is often a prerequisite to targeting an OT environment,” Secureworks says.
The actor used the PublicDomainRegistry.com, Web4Africa, and Hosting Concepts B.V. registrars to set up infrastructure, registering new domains for individual campaigns. C&C domains typically have a security or web technology theme.
An emerging threat to energy organizations in the Middle East, Lyceum/Hexane could expand activities beyond this sector in the future.
“Aside from deploying novel malware, LYCEUM’s activity demonstrates capabilities […] observed from other threat groups and reinforces the value of a few key controls. Password spraying, DNS tunneling, social engineering, and abuse of security testing frameworks are common tactics, particularly from threat groups operating in the Middle East,” Secureworks concludes.
“Although we haven’t found evidence — yet — that Lyceum is specifically targeting industrial control networks, their tools and techniques are highly consistent with past attacks on OT infrastructure,” Phil Neray, VP of Industrial Cybersecurity for CyberX, told SecurityWeek. “Phishing attacks on corporate users and theft of privileged credentials is typically followed by remote access to the OT network, with the goal of causing damage and disruption. We’ve seen this in almost all past attacks on critical infrastructure including the 2017 TRITON attacks on a petrochemical facility in the Middle East, and the Ukrainian grid attacks of 2015 (Black Energy) and 2016 (Industroyer).”
To defend against sophisticated adversaries like Lyceum/Hexane, Neray suggests that the best strategy is to continuously monitor for suspicious activity. The reality, he says, is that if you’re targeted then you’ll eventually be compromised, so it is important to be able to rapidly respond before they blow up or shut down your plant.
“In the TRITON attacks, for example, the adversaries were in the environment for months or years before being discovered, after which a forensic analysis found clear evidence of Mimikatz credential-stealing software and repeated RDP sessions to the plant’s engineering workstations from within the IT network — but no one knew about it because there was no monitoring in place,” Neray said.
Related: ‘Hexane’ Threat Actor Targeting Industrial Organizations
Related: Nine Distinct Threat Groups Targeting Industrial Systems: Dragos
