A new threat group has been observed targeting oil and gas companies in the Middle East.
Researchers from SecureWorks' Counter Threat Unit (CTU) believe the group, which they have dubbed LYCEUM, may have been active as early as April 2018. The focus of the group appears to be obtaining and expanding access within a targeted network.
The threat group's activities have also been observed by researchers at Dragos, who named the group HEXANE.
Domain registrations suggest that a campaign by the group in mid-2018 focused on South African targets, possibly in the telecommunications sector. In May 2019, a campaign was launched against oil and gas organizations in the Middle East.
The group attacks by accessing company user accounts via a process called password spraying in which a list of the most common passwords is thrown at a large number of accounts in a brute-force attack. Once an account has been compromised, the group uses it to send spear-phishing emails with malicious Excel attachments to other users within the company.
When an unsuspecting user clicks on the Excel attachment, DanBot malware is deployed, which the attackers can use to execute arbitrary commands via cmd.exe and to upload and download files.
A common theme used by the new threat group to carry out its campaigns has been "security best practice," with one attachment containing "the 25 worst passwords of 2017."
Asked if the choice of theme signaled that the team behind LYCEUM has a strong sense of irony, Rafe Pilling, information security researcher at SecureWorks, said: "It certainly seems that way. Based on our experience I would assess that they are choosing a decoy document that is relevant to their target for that particular spear-phishing campaign."
Researchers have been unable to pinpoint where attacks from this new group originated, but its style did ring a bell.
Pilling said: "It was intriguing to discover a new group with a similar style to established Iranian threat groups but otherwise no distinguishing technical characteristics that allow it to be linked to previously documented activity."
What makes the new group unique is its use of the DanBot malware family and the associated DanDrop malicious macro for delivery.
Pilling said: "DanBot appears relatively immature and under active development. However, the threat actor tradecraft seems a little more mature and suggests some prior experience. This mismatch is interesting. We’re considering the possibility that this is a new toolkit being used by a splinter of an existing threat group or a threat actor that has prior experience compromising large organizations."