Lyceum .NET DNS Backdoor Detection: Iranian Nation-Backed APT Group Leverages New Hijacking Malware

[post-views]
June 20, 2022 · 4 min read
Lyceum .NET DNS Backdoor Detection: Iranian Nation-Backed APT Group Leverages New Hijacking Malware

Cybersecurity researchers have recently shed light on a wave of new cyber attacks by the Iranian nation-backed APT group acting under the moniker “Lyceum” also known as HEXANE. Lyceum actors have been operating in the cyber threat arena since 2017 mainly targeting Middle East organizations in the energy and telecom industry sectors. In the latest Lyceum group’s campaign, threat actors have applied a novel .NET based Backdoor, which takes advantage of a DNS Hijacking adversary technique.

Detect .NET DNS Backdoor Customized by the Lyceum Group

To help organizations timely identify the malicious presence of a novel Lyceum .NET DNS Backdoor in their infrastructure, SOC Prime’s platform curates the near real-time delivery of unique detection content addressing relevant threats. Registered SOC Prime users can reach the dedicated Sigma rule crafted by our keen Threat Bounty Program developer, Osman Demir. By joining the ranks of the Threat Bounty Program, individual researchers and threat hunters can make their own contributions to collaborative cyber defense.

Make sure to sign up or log into the SOC Prime’s platform with your active account to drill down to the Sigma rule available by the link below:

Suspicious Lyceum .NET DNS Backdoor Persistence by Writing of PE File to Startup (via file_event) – Jun 2022

This detection is aligned with the MITRE ATT&CK® framework and addresses the Persistence tactic with Boot or Logon Autostart Execution (T1547) as its main technique. InfoSeC practitioners can easily switch between multiple SIEM, EDR, and XDR formats to get the rule source code applicable to 19+ security solutions. The above-mentioned Sigma rule can be also applied to instantly hunt for threats associated with the Lyceum .NET DNS Backdoor using SOC Prime’s Quick Hunt module.

To gain access to the comprehensive list of detection rules and hunting queries associated with the malicious activity of Luceum threat actors, click the Detect & Hunt button below. Cybersecurity practitioners can also instantly browse SOC Prime’s cyber threats search engine to access top trends, view the most recent content updates, and explore full contextual information, including MITRE ATT&CK references, CTI links, CVE descriptions, and more without registration and right from a single place.

Detect & Hunt Explore Threat Context

Lyceum .NET DNS Backdoor Analysis

The Zscaler ThreatLabz team has recently informed the global cybersecurity community of novel .NET based DNS malware used in the latest Lyceum group’s campaign. The Iranian state-backed hacking collective also tracked as COBALT LYCEUM or HEXANE has over a five-year history in the cyber threat arena mostly operating with the .NET based malware. In the latest malware campaign, the group has developed a new DNS Backdoor version by customizing an open-source tool code. In these attacks, the backdoor by means of the so-called “DNS Hijacking” technique abuses the DNS protocol for C2 server communication allowing attackers to perform malicious operations while evading detection. This attack technique allows threat actors to gain control over the DNS server and manipulate the response to the DNS queries.

In this latest Lyceum group’s campaign, the infection chain is triggered by a macro-enabled Word file, which serves as a lure using a military-affiliated topic. Once enabled, the macro content further leads to the delivery of the DNS Backdoor on the infected computer. The malware also dubbed “DnsSystem” enables adversaries to remotely run system commands on the compromised machines, including the ability to upload and download files from the C2 server by exploiting DNS records. 

With multiple APT groups expanding the scope of impact and evolving their adversary toolkit, progressive organizations are continuously looking for new ways to reinforce cyber resilience. SOC Prime’s platform enables InfoSec practitioners to boost their cyber defense potential by leveraging curated Detection-as-Code content in conjunction with automated threat hunting and content streaming capabilities. Looking for opportunities to contribute to collective cybersecurity expertise? Threat Bounty Program is SOC Prime’s crowdsourcing initiative enabling cybersecurity researchers to monetize their own detection content, get financial benefits, and gain recognition among industry peers.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts