Iranian State Hackers Are Attacking ISPs and Telcos

‘Lyceum’ has been active since 2017 and is also known as Hexane, Siamesekitten, or Spirlin.

The advanced persistent threat (APT) organization has previously been connected to attacks on Middle Eastern oil and gas businesses, but it now appears that its focus has shifted to the IT industry.

What Happened?

Lyceum backdoor malware was noticed in attacks throughout Morocco, Tunisia, and Saudi Arabia.

Lyceum was found deploying two unique malware families, named Shark and Milan, in the most current campaign evaluated in a joint analysis by experts at Accenture and Prevailion.

Shark and Milan

As thoroughly explained by BleepingComputer, the Shark backdoor is a 32-bit program built-in C# and.NET that may be used to run instructions and steal data from affected computers.

Milan is a 32-bit remote access trojan (RAT) that can extract data from a compromised machine and send it to hosts generated using domain creation methods (DGAs).

Both backdoors connect with their command and control servers (C2) through DNS and HTTPS, with Shark additionally employing DNS tunneling.

Lyceum appears to be watching researchers who are researching their malware to upgrade its code and remain ahead of protective systems, according to the technical investigation, which indicated a continuous renewal of

Read More: https://heimdalsecurity.com/blog/iranian-state-hackers-are-attacking-isps-and-telcos/