Iranian Cyber Espionage threat group that’s targeted oil & gas, telecommunications, aviation, and ISP(Internet Service Providers) organizations since at least 2017.
Associated Groups/Names: Lyceum, Siamese Kitten
Country of Origin: Iran
Locations of Targets: Primarily the Middle East & Africa..Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia
Infrastructure: Adversary-owned infrastructure from European hosting providers. and Spoofs legitimate IT domains
Capabilities: Initial Access via MS Excel documents containing embedded binary, C2 via DNS & HTTP, Evasion via task scheduling and in-memory. and NET compilation
The Cyber Crime group HEXANE was discovered in August of 2019 but was operating under the radar for at least a year before that, possibly since spring of 2018. Their main focus during attacks is to extract user credentials from compromised systems. In order to accomplish this they have a multi-stage attack chain. Let’s look at these various stages…
The Initial Stage- A malicious Microsoft Office document that contains the DanDrop malware. This malware creates a copy of DanBot, a RAT (Remote Access Trojan) and schedules it to run. DanDrop is a malware dropper HEXANE uses to deliver second-stage malware. Part of the reason it was able to go undetected by AntiViruses is that the file is embedded within Excel document and will go by names such as..
“The Worst Passwords of 2017”
“Top Ten Security Practices”
Documentation Completely in Arabic
Once a sample of the malicious file was uploaded to VirusTotal it only had a 65.7% detection rate by AntiViruses. Interesting note: Some of the major AVs were among those that weren’t able to detect it.
It is actually possible to extract the VBA (Visual Basic for Application-A human readable & editable programming code that gets operated when you record a macro.) It’s now widely used with other Microsoft Office applications such as MS-Word, MS-Excel, and MS-Access.
DanBot- A copy of DanBot is the executable dropped by the DanDropper Malware. DanBot is a RAT used by the cyber criminals to control a computer after infection. It uses both the DNS & HTTP protocols for Command & Control.
PowerShell Scripts-HEXANE is also known for using various PowerShell scripts as part of their attacks. Such as: -kl.ps1 (a common PowerShell keylogger) -Decrypt-RDCMan.ps1 (PowerShell script from PoshCZ pentesting framework for decrypting credentials stored within the RDCMan configuration file. -Get-LAPSP.ps1 (PowerShell script for stealing data from Active Directory via LDAP, LDAP = Lightweight Directory Access Protocol, an open vendor neutral application protocol for accessing & maintaining that data.)
Recently HEXANE has switched up their targeting & tactics a bit. The group has established large infrastructure that allows it to impersonate already known companies, which it has been doing in these recent attacks. The group has also upgraded their toolset. In spring of 2021 HEXANE began attacking more organizations in Israel. This campaign would typically start with the attackers choosing a potential employee as a victim and a human resource employee to impersonate. Then a phishing website is created that mimics the legitimate organization. Tailored files are also then created to lure the victim to download them. (Notice: similarities between the North Korean Lazarus Group’s “Dream Job” campaign) They then set up a fake LinkedIn profile to further imitate the HR department employee. Next the attackers reach out to the potential victim to make an irresistible job offer. The malware is deployed once the victim checks and downloads the additional files. The Milan Malware is deployed to establish a connection with the infected machine. Then the DanBot RAT is downloaded. The infected machine is not online used to harvest information and conduct espionage but also to move laterally within the network.
Side Note: There are a lot of similarities between the TTPs (Tactics, Techniques, and Procedures) of HEXANE & APT 33 & OilRig. However, there are differences in victims and tools so they are usually tracked as separate entities.
I highly recommend checking these links for more information: