Cybersecurity researchers have uncovered a new cyberespionage campaign by Iranian hackers targeting the networks of telecoms companies and internet service providers (ISPs).
Tracked as Lyceum (also known as Siamese kitten or Hexane), the Iranian APT group has mainly targeted organizations in oil, gas, and telecom industries across Africa and Middle Eastern countries. But in recent times, the group has shifted its focus to include the technology sector.
Earlier this week, Accenture Cyber Threat Intelligence and Prevailing Adversarial Counterintelligence published a report detailing the threat group’s recent campaigns. Between July and October this year, Lyceum was identified in assaults against ISPs and telecoms organizations across Israel, Morocco, Tunisia, and Saudi Arabia using two new malware variants, dubbed Shark and Milan.
The Shark backdoor is a 32-bit executable written in C# and .NET generates a configuration file for DNS tunneling or HTTP C2 communications, whereas Milan is a 32-bit remote access trojan (RAT) that can retrieve data from the compromised system and exfiltrate it to hosts derived from domain generation algorithms (DGAs).
Both backdoors communicate with the groups' command-and-control (C2) servers.
The APT maintains a C2 server network that connects to the group's backdoors, consisting of over 20 domains, including six that were earlier not associated with the threat actors. Previously, ClearSky and Kasperksy have disclosed the malware families.
Additionally, researchers also discovered a new backdoor similar to newer versions of Milan, which sent beacons linked to potential attacks against a Tunisian telecom firm and a government agency in Africa.
"It is unknown if the Milan backdoor beacons are coming from a customer of the Moroccan telecommunication operator or from internal systems within the operator. However, since Lyceum has historically targeted telecommunication providers and the Kaspersky team identified recent targeting of telecommunication operators in Tunisia, it would follow that Lyceum is targeting other north Africa telecommunication companies,” the researchers stated.
At the time of the report’s publication, the cybersecurity teams stated that there are still multiple identified exploits that remain active. The hacking group typically employs credential stuffing attacks and brute-force attacks as an initial attack vector. Individual companies of interest are normally targeted, and then later used as a springboard to launch spear-phishing assaults against high-profile executives in an organization.
