Cyber experts warn of a rise in Lyceum hacker group activities in Tunisia

A threat actor Lyceum which was previously linked to attacks on businesses in the energy and telecom sector industry across the Middle East has expanded its malware to target Tunisia.

The attacks were attributed to Lyceum hacking group (aka Hexane) which was first identified by 2019 by Securework according to Kaspersky security experts who presented their findings at the Virus Bulletin VB2021 conference earlier this month.

Lyceum has been active since as early as April 2018, when it attacked telecoms and critical infrastructure in Middle Eastern oil-and-gas organizations with malware-laced spear phishing emails.

According to Mark Lechtik Kaspersky’s senior security researcher at the company’s Global Research & Analysis Team (GReAT) — said in a Monday post that the team has identified a new cluster of Lyceum activity that’s focused on two entities in Tunisia.

Kaspersky’s new Lyceum findings were emerged by a PowerShell script (MD5: 94eac052ea0a196a4600e4ef6bec9de2) that was submitted to VirusTotal in last November which helped researchers to follow the threat group’s more recent tracks.

The Russian cybersecurity company Kaspersky said that “the attack methods used in the campaign against Tunisian companies resembled techniques previously attributed to hacking operations associated with the DNSpionage group, which, in turn, has exhibited tradecraft overlaps to an Iranian threat actor dubbed OilRig (aka APT34), while calling out the “significant similarities” between lure documents delivered by Lyceum in 2018–2019 and those used by DNSpionage”.

Kaspersky also identified some of Lyceum’s other MOs, including some of the commands the attackers used to compromised environments as well as how user credentials stored in browsers were stolen by using a PowerShell script and details about a custom key logger deployed on some of the targeted machines.