The Iranian sponsored cyber threat group, known as Lyceum, has recently attacked telecommunication service providers and ISPs in Africa and the Middle East using upgraded malware. Also, Saudi Arabia, Tunisia, and Morocco are all targeted by the Iranian threat group, but Israel is still ranked as the most attacked country of Lyceum.
In the most recent cyber espionage analysed in a joint report between two distinct researchers, Lyceum is observed using two malware variants named Milan and Shark.
The Milan variant is a 32-bit RAT that can recover data from the infected system and exfiltrate it to hold derived from domain generation algorithms. On the other hand, Shark backdoor is also a 32-bit executable coded in [.]Net and C# used to operate commands and exfiltrate data from compromised systems.
Milan and Shark both communicate using HTTPS and DNS with their C2 servers. Moreover, Shark is using DNS tunneling.
According to the analysis, Lyceum seems to be monitoring analysts, cybersecurity operators, and researchers who study their malware to upgrade their code and be one step ahead against all of their nemesis.
Recent build dates are from October of this year, and researchers pinpoint two of the identified compromises that are still developing. The joint analyst manages to locate the Lyceum victims by lopping twenty of the malicious threat actor’s domains and dissecting the telemetry data without removing them.
Due to the analysts’ resulting report, they provided a new list with indicators of compromised devices and several methods to identify the two backdoors so that they can hinder Lyceum’s current operation.
The malware operators focus on fooling around rather than causing a significant impact.
The Iranian-sponsored Lyceum is speculated to be politically affiliated and exclusively interested in cyber threats rather than causing a significant impact on the overall operations of their targets. That is why the Lyceum focuses on ISP network intrusions to gather valuable information on rival foreign nations.
According to the joint report, it is unknown if Milan’s backdoor signals are coming from a client located at the Moroccan telecom operator or internal systems. However, since Lyceum has a history of targeting telecom providers, it may be plausible that Lyceum will also target North African telecom companies.
Furthermore, everyone knows that Iran has remained hostile to Saudi Arabia, Morocco, and Israel, but the recent attack in Tunisia is brutal to justify. That is why according to several researchers, it is a fascinating discovery.
