Hackers belonging to a threat group dubbed LYCEUM (aka HEXANE) have been launching attacks on organizations in the oil and gas sector since May of this year, new research by SecureWorks shows. This campaign primarily targets firms located in the Middle East, but LYCEUM has been active since April of 2018 and initially targeted firms in South Africa.
In the first stage of an attack, LYCEUM tries to compromise user accounts through password spraying, which involves lists of common passwords. If the group manages to take over an account in this manner, they use it to target other users in the firm with spear phishing attacks involving malicious attachments containing DanBot malware that allows attackers to execute malicious commands on infected devices. Ironically, the theme of some phishing messages concerns security best practices. For instance, in one campaign, the malicious attachment was titled “the 25 worst passwords of 2017.”
Read more: New Threat Group Targets Middle East
