Iranian state hackers use upgraded malware in attacks on ISPs, telcos

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
The Iranian state-supported APT known as 'Lyceum' (Hexane, Spilrin) targeted ISPs and telecommunication service providers in the Middle East and Africa between July and October 2021.

Apart from Israel, which is permanently in the crosshairs of Iranian hackers, researchers have spotted Lyceum backdoor malware attacks in Morocco, Tunisia, and Saudi Arabia.

In the most recent campaign analyzed in a joint report between researchers at Accenture and Prevailion, Lyceum is seen using two distinct malware families, dubbed Shark and Milan.

The Shark backdoor is a 32-bit executable written in C# and .NET used to execute commands and exfiltrate data from infected systems.
Milan is a 32-bit remote access trojan (RAT) that can retrieve data from the compromised system and exfiltrate it to hosts derived from domain generation algorithms (DGAs).

Both backdoors communicate via DNS and HTTPS with their command and control servers (C2), with Shark also using DNS tunneling.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top