Hexane (LYCEUM): The group that came into light earlier in the month, Hexane, also known as LYCEUM, has had more details released about their attack style and targets. Mainly targeting the Middle East, the group uses a series of steps to infect their targets. Their toolkit consists of five parts, a first-stage RAT called DanBot, which uses DNS and HTTP-based communication for basic RAT abilities. DanBot also executes arbitrary commands via cmd.exe and uploads and downloads files. DanBot is delivered via DanDrop, which is a macro embedded in an Excel document .xls file. The group also has its custom keylogger known as kl.ps1 that is written in PowerShell. The Keylogger uses elements of the Microsoft .NET Core framework to capture Windows title and keystrokes. Kl.ps1 stores this data in Base64-encoded data and is deployed through a scheduled task and VBScript file. The group leverages a decrypter that is a component of the PoshC2 pen-testing framework called Decrypt-RDCMan.ps1, which is used to decrypt passwords that are stored in the RDCMan configuration file. The file stores the encrypted credentials and server details and gives the group the ability to quickly establish remote desktop sessions. The credentials that are recovered allow LYCEUM additional access within the affected network. Finally, the group utilizes a PowerShell script that can steal account information from Active Directory via LDAP called Get-LAPSP.ps1. This specific script appears to have borrowed code in it that runs like invoke-obfuscation. Within an hour of dropping DanBot into an environment, the group has deployed Decrypt-RDCMan.ps1 as well as GET-LAPSP.ps1. The group will compromise an account within the targeted organization to target executives, HR professionals and IT professionals alike–sending them weaponized documents through a spear-phishing campaign. The group has been notorious for using a “Security Best Practices” document to deliver the toolkit to its victims. The group has registered multiple C2 servers, typically used for a couple of weeks and then retired by the group, after were used for a different attack. Along with the deployment of this malware into an organization, the group has also been seen carrying out standard social engineering attacks, password spraying attacks, DNS Tunneling and abusing security testing frameworks and other common tactics.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased