Lyceum APT Returns, This Time Targeting Tunisian Firms

The Lyceum threat group has resurfaced, this time with a weird variant of a remote-access trojan (RAT) that doesn’t have a way to talk to a command-and-control (C2) server and might instead be a new way to proxy traffic between internal network clusters. Kaspersky’s Mark Lechtik – senior security researcher at the company’s Global Research & Analysis Team (GReAT) – said in a Monday post that the team has identified a new cluster of Lyceum activity that’s focused on two entities in Tunisia. In a paper (PDF) presented earlier this month at the Virus Bulletin conference, Lechtik and fellow Kaspersky researchers Aseel Kayal and Paul Rascagneres wrote that the threat actor has attacked high-profile Tunisian organizations, such as telecoms or aviation companies. That fits into the group’s target list. Lyceum has been active since as early as April 2018, when it attacked telecoms, and critical infrastructure in Middle Eastern oil-and-gas organizations. Lyceum treads lightly but carries a big stick: “All the while it has kept a low profile, drawing little attention from security researchers,” the trio of researchers wrote. The Lyceum group (aka Hexane) was first exposed in 2019 by Secureworks, which spotted the group targeting Middle Eastern energy firms and telecoms with malware-laced spearphishing emails. Back then, Lyceum was using various PowerShell scripts and a novel .NET-based remote-access trojan (RAT) called DanBot, which deployed post-intrusion tools to spread across…