A threat actor is back: this time targeting two Tunisian firms. The threat actor has developed its malware array. Before, the firm had targeted energy and telecommunication firms across the Middle East in April 2018.
Security researchers at Kaspersky, who presented their findings at the VirusBulletin VB2021 conference earlier this month, traced the attack to a group that Secureworks chronicled publicly in 2019.
The victims we observed were all high-profile Tunisian organizations, such as telecommunications or aviation companies,” researchers Aseel Kayal, Mark Lechtik, and Paul Rascagneres detailed. “Based on the targeted industries, we assume that the attackers might have been interested in compromising such entities to track the movements and communications of individuals of interest to them.”
The attackers have moved from a combination of PowerShell scripts and a . NET-based remote administration tool called “DanBot” to new malware variants scripted in C++ referred to as “James” and “Kevin”. The move is owed to the recurring use of the names in the PDB paths of the underlying samples.
Both artifacts assist communication with a faraway server command-and-server server using custom-designed protocols tunnelled over DNS or HTTP replicating the Danbot technique.
“With considerable revelations on the activity of DNSpionage in 2018, as well as further data points that shed light on an apparent relationship with APT34, […] the latter may have changed some of its modus operandi and organizational structure, manifesting into new operational entities, tools and campaigns,” the researchers said. “One such entity is the Lyceum group, which after further exposure by Secureworks in 2019, had to retool yet another time.”