LYCEUM threat group active in the Middle East.
The Secureworks Counter Threat Unit has observed a new threat group, "LYCEUM," active against targets in the Middle East. The researchers say the group's tradecraft bears similarities to APT33 and APT34 (two Iranian-linked threat actors), but they note that none of LYCEUM's known malware or infrastructure has any apparent connection to these or other groups. Secureworks concluded that there wasn't enough technical evidence for attribution, although they did determine this was the same group Dragos has been tracking as HEXANE.
LYCEUM targets "organizations in sectors of strategic national importance, including oil and gas and possibly telecommunications." Unlike Dragos, the Secureworks researchers didn't see any evidence that the group was interested in ICS or OT environments. However, they add that they "cannot dismiss the possibility that the threat actors could seek access to OT environments after establishing robust access to the IT environment." Dragos said the threat actor targeted IT environments to gather information about ICS-related entities, but concluded that the group probably doesn't yet have "the access nor capability to disrupt ICS networks."
Fancy Bear sighting.
Blackberry Cylance's ThreatVector team has released new research on a malware sample used by APT28, that is, of course, Fancy Bear, Russia's GRU. The sample was uploaded to VirusTotal by US Cyber Command on May 17th. Cyber Command didn't provide any context, but security researchers concluded the malware was probably X-Tunnel, a tool that allows APT28 to maintain encrypted communications with an infected network.
ThreatVector researchers research last month outlined their preparation for a detailed analysis of the binary using IDA Pro. They deduced that the malware was built with Microsoft Visual C++ and contained statically linked libraries—specifically, the POCO C++ framework and OpenSSL version 1.0.1e. The researchers recreated these libraries and used them to create custom IDA signatures to identify library code, which vastly narrowed down the code that needed to be analyzed. ThreatVector's new research lays out the results of their analysis. They found that the malware is "a multi-threaded DLL backdoor that gives the threat actor full access to, and control of, the target host."