Delaware, USA – August 28, 2019 – New details of Hexane group operations show how proven techniques and tools, as well as some custom malware pieces, allow the threat actor to effectively attack oil and gas companies in the Middle East. The cybersecurity company Dragos Inc was the first to report the group after they detected attacks mainly focused on Kuwait and neighboring countries. This week, SecureWorks researchers published an in-depth analysis of one of the attacks of the Hexane group (they named it Lyceum) and malware samples used.
Adversaries first compromise accounts of targeted company employees using a password spraying attack or brute-forcing passwords. Then, they used hacked accounts to send phishing emails with weaponized Excel attachment targeting HR department, executives, and IT personnel. The malicious document contains a custom VBA macro – DanDrop, which decodes the main payload – DanBot – and install it using a scheduled task. DanBot is a RAT used by Hexane group to run PowerShell tools included in penetration testing frameworks and their own development.
It is noteworthy that adversaries do not try to compromise the systems of operational technology and industrial control systems staff, perhaps they attack them at later stages of the campaign. According to researchers, the Hexane group may pose a threat to critical infrastructure organizations. In addition, not all the tools used by the group may have been discovered during the investigation.
Rules for ‘Scheduled Task’ technique detection:
Rare Scheduled Task Creations – https://tdm.socprime.com/tdm/info/1303/
Scheduled Task Creation – https://tdm.socprime.com/tdm/info/1124/
Rare Schtasks Creations – https://tdm.socprime.com/tdm/info/1036/
A scheduled task was created – https://tdm.socprime.com/tdm/info/2230/