Security researchers from Secureworks have analyzed several tools used by the Hexane threat actor in attack campaigns against industrial organizations over the past several months.
Secureworks, which calls the group Lyceum, notes that the actor’s activity resembles that of established groups such as Iran-linked COBALT GYPSY (related to OilRig, Crambus, and APT34) and COBALT TRINITY (also known as Elfin and APT33), but says that the collected malware and infrastructure are not connected.
Active since at least mid-2018, Hexane has been targeting industrial control systems (ICS) related entities in the oil and gas and telecommunications sectors in the Middle East, industrial cybersecurity firm Dragos revealed earlier this month.
The group shows similarities with previously detailed threat groups, including MAGNALLIUM and CHRYSENE, but the security firm believes the actor is a unique entity, mostly focused on targets in the critical infrastructure.
The attackers were observed compromising an organization through account credentials obtained via password spraying or brute-force attacks. At the next step, the group sent spear-phishing emails containing malicious Excel attachments designed to deliver a backdoor that can drop additional tools.
Dubbed DanBot, the first-stage remote access Trojan (RAT) employs DNS and HTTP-based communications and has basic capabilities, such as command execution via cmd.exe and the upload and download of files.
Other tools associated with Haxane include DanDrop (a VBA macro to drop DanBot), kl.ps1 (a PowerShell-based keylogger), Decrypt-RDCMan.ps1 (part of the PoshC2 penetration testing framework), and Get-LAPSP.ps1 (a PowerView-based script from the PowerShell Empire framework).
Written in C# using .NET Framework 2.0, DanBot uses both IPv4 A records and I ..
Support the originator by clicking the read the rest link below.
