February 17, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Russian Nation-State Actors Exploiting MFA Protocols and PrintNightmare – Russian-Ukrainian Cyber Warfare
March 16, 2022Rewterz Threat Alert – Sharkbot Android Banking Malware – Active IOCs
March 16, 2022Rewterz Threat Alert – Russian Nation-State Actors Exploiting MFA Protocols and PrintNightmare – Russian-Ukrainian Cyber Warfare
March 16, 2022Rewterz Threat Alert – Sharkbot Android Banking Malware – Active IOCs
March 16, 2022
Severity
High
Analysis Summary
The Lyceum APT (aka HEXANE, Spirlin) is a cybercriminal group that mainly targets energy organizations and telecommunication in the Middle East. It has expanded on this victim set by identifying additional targets within internet service providers (ISPs) and government agencies. It has been active since 2018. This group has been linked to Iran. Lyceum is a politically motivated nation-state actor that is conducting cyber espionage using two malware families dubbed Shark and Milan. For initial backdoor deployment, the group does Domain name system (DNS) tunneling. The malware is delivered via a phishing email, which contains a malicious link and a weaponized word document. The MFA (Ministry of Foreign Affairs) is a soughtafter target of the threat actor. The group has been deploying “ir_drones.docm” maldoc for infiltration as well.
Impact
- Information Theft and Espionage
Indicators of Compromise
Filename
- ir_drones[.]docm
- DnsDig[.]exe
MD5
- 13814a190f61b36aff24d6aa1de56fe2
- d79687676d2d152aec4143c852bdbc4a
SHA-256
- 221292a9f77f1a16fa0a7ed41b0eedbd312475dd9a5104c7923ed7889ea0f292
- 5f0e0f0abc28ccc1911533fd035e984b4183eb9838bb41c1f6589de84a617ca6
SHA-1
- 08fd3f4cdcb6e4c3cb28935c41781e5fe84bf0c6
- 5a0f97b4aa465f64e6d8f640c2ccb36b400fc68c
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.