Iranian state hackers use upgraded malware in attacks on ISPs, telcos

The Iranian state-supported APT known as 'Lyceum' (Hexane, Spilrin) targeted ISPs and telecommunication service providers in the Middle East and Africa between July and October 2021.

Apart from Israel, which is permanently in the crosshairs of Iranian hackers, researchers have spotted Lyceum backdoor malware attacks in Morocco, Tunisia, and Saudi Arabia.

In the most recent campaign analyzed in a joint report between researchers at Accenture and Prevailion, Lyceum is seen using two distinct malware families, dubbed Shark and Milan.

The Shark backdoor is a 32-bit executable written in C# and .NET used to execute commands and exfiltrate data from infected systems.

Milan is a 32-bit remote access trojan (RAT) that can retrieve data from the compromised system and exfiltrate it to hosts derived from domain generation algorithms (DGAs).

Both backdoors communicate via DNS and HTTPS with their command and control servers (C2), with Shark also using DNS tunneling.

According to the technical analysis, which revealed a continual refresh of the beacons and payloads, Lyceum appears to be monitoring researchers who are analyzing their malware to update their code and stay ahead of defensive mechanisms.

The most recent build dates are from October 2021, and the researchers point out that at least two of the identified compromises are ongoing.

The analysts managed to map the Lyceum victims by annexing twenty of the actor's domains and analyzing the telemetry data without taking them down.

The resulting report provides a new list with indicators of compromise (IoCs) and multiple ways to detect the two backdoors, so it has the potential to disrupt Lyceum's ongoing campaign.

Politically motivated

The particular group of hackers is believed to be politically motivated and exclusively interested in cyber espionage rather than causing operational disruption to their targets.

This is why they focus on ISP network intrusions, as compromising high-level service providers is an excellent way to collect valuable intelligence on foreign nations.

"It is unknown if the Milan backdoor beacons are coming from a customer of the Moroccan telecommunication operator or internal systems within the operator," explains the joint report from Accenture and Prevailion.

"However, since Lyceum has historically targeted telecommunication providers and the Kaspersky team identified recent targeting of telecommunication operators in Tunisia, it would follow that Lyceum is targeting other north African telecommunication companies."

Although Iran has traditionally kept a hostile stance against Israel, Saudi Arabia, and Morocco, the inclusion of Tunisia in the victimology is seemingly hard to justify, so it's an interesting find.

Finally, the types of victims and activity timelines match those of operation GhostShell, revealed last month by Cybereason.

Even though the 'GhostShell' campaign was most probably orchestrated by a novel APT adversary, it still had links to known Iranian APT groups like Lyceum.