Skip to content

G1001 HEXANE

HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE‘s TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.3421

Item Value
ID G1001
Associated Names Lyceum, Siamesekitten, Spirlin
Version 2.1
Created 17 October 2018
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Lyceum 5
Siamesekitten 2
Spirlin 1

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains HEXANE has registered and operated domains for campaigns, often using a security or web technology theme or impersonating the targeted organization.532
enterprise T1583.002 DNS Server HEXANE has set up custom DNS servers to send commands to compromised hosts via TXT records.7
enterprise T1010 Application Window Discovery HEXANE has used a PowerShell-based keylogging tool to capture the window title.5
enterprise T1110 Brute Force HEXANE has used brute force attacks to compromise valid credentials.5
enterprise T1110.003 Password Spraying HEXANE has used password spraying attacks to obtain valid credentials.5
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell HEXANE has used PowerShell-based tools and scripts for discovery and collection on compromised hosts.584
enterprise T1059.005 Visual Basic HEXANE has used a VisualBasic script named MicrosoftUpdator.vbs for execution of a PowerShell keylogger.4
enterprise T1586 Compromise Accounts -
enterprise T1586.002 Email Accounts HEXANE has used compromised accounts to send spearphishing emails.5
enterprise T1555 Credentials from Password Stores HEXANE has run cmdkey on victim machines to identify stored credentials.4
enterprise T1555.003 Credentials from Web Browsers HEXANE has used a Mimikatz-based tool and a PowerShell script to steal passwords from Google Chrome.4
enterprise T1585 Establish Accounts -
enterprise T1585.001 Social Media Accounts HEXANE has established fraudulent LinkedIn accounts impersonating HR department employees to target potential victims with fake job offers.2
enterprise T1585.002 Email Accounts HEXANE has established email accounts for use in domain registration including for ProtonMail addresses.4
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage HEXANE has used cloud services, including OneDrive, for data exfiltration.6
enterprise T1589 Gather Victim Identity Information HEXANE has identified specific potential victims at targeted organizations.2
enterprise T1589.002 Email Addresses HEXANE has targeted executives, human resources staff, and IT personnel for spearphishing.52
enterprise T1591 Gather Victim Org Information -
enterprise T1591.004 Identify Roles HEXANE has identified executives, HR, and IT staff at victim organizations for further targeting.52
enterprise T1105 Ingress Tool Transfer HEXANE has downloaded additional payloads and malicious scripts onto a compromised host.4
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging HEXANE has used a PowerShell-based keylogger named kl.ps1.54
enterprise T1534 Internal Spearphishing HEXANE has conducted internal spearphishing attacks against executives, HR, and IT personnel to gain information and access.5
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation HEXANE has used Base64-encoded scripts.4
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool HEXANE has acquired, and sometimes customized, open source tools such as Mimikatz, Empire, VNC remote access software, and DIG.net.457
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups HEXANE has run net localgroup to enumerate local groups.4
enterprise T1057 Process Discovery HEXANE has enumerated processes on targeted systems.4
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol HEXANE has used remote desktop sessions for lateral movement.5
enterprise T1018 Remote System Discovery HEXANE has used net view to enumerate domain machines.4
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task HEXANE has used a scheduled task to establish persistence for a keylogger.4
enterprise T1518 Software Discovery HEXANE has enumerated programs installed on an infected machine.4
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware HEXANE has staged malware on fraudulent websites set up to impersonate targeted organizations.2
enterprise T1082 System Information Discovery HEXANE has collected the hostname of a compromised machine.4
enterprise T1016 System Network Configuration Discovery HEXANE has used Ping and tracert for network discovery.4
enterprise T1016.001 Internet Connection Discovery HEXANE has used tools including BITSAdmin to test internet connectivity from compromised hosts.4
enterprise T1049 System Network Connections Discovery HEXANE has used netstat to monitor connections to specific ports.4
enterprise T1033 System Owner/User Discovery HEXANE has run whoami on compromised machines to identify the current user.4
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File HEXANE has relied on victim’s executing malicious file attachments delivered via email or embedded within actor-controlled websites to deliver malware.5327
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication HEXANE has used cloud services, including OneDrive, for C2.6

Software

ID Name References Techniques
S0190 BITSAdmin 4 BITS Jobs Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Lateral Tool Transfer
S1014 DanBot 5 Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Data from Local System Deobfuscate/Decode Files or Information File Deletion:Indicator Removal Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Obfuscated Files or Information Spearphishing Attachment:Phishing VNC:Remote Services Scheduled Task:Scheduled Task/Job Malicious File:User Execution
S1021 DnsSystem 7 DNS:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Exfiltration Over C2 Channel Ingress Tool Transfer System Owner/User Discovery Malicious File:User Execution
S0363 Empire 5 Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation SID-History Injection:Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Command and Scripting Interpreter Domain Account:Create Account Local Account:Create Account Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Code Repository:Exfiltration Over Web Service Exfiltration to Cloud Storage:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Search Order Hijacking:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0100 ipconfig 27 System Network Configuration Discovery
S1020 Kevin 4 Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Junk Data:Data Obfuscation Data Staged Data Transfer Size Limits Exfiltration Over C2 Channel Fallback Channels Hidden Window:Hide Artifacts File Deletion:Indicator Removal Ingress Tool Transfer Rename System Utilities:Masquerading Native API Obfuscated Files or Information Protocol Tunneling System Information Discovery System Network Configuration Discovery Virtualization/Sandbox Evasion
S1015 Milan 41 Local Account:Account Discovery DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Data from Local System Local Data Staging:Data Staged Domain Generation Algorithms:Dynamic Resolution File Deletion:Indicator Removal Ingress Tool Transfer Component Object Model:Inter-Process Communication Masquerading Double File Extension:Masquerading Native API Obfuscated Files or Information Protocol Tunneling Query Registry Scheduled Task:Scheduled Task/Job System Information Discovery System Network Configuration Discovery System Owner/User Discovery
S0002 Mimikatz 4 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0104 netstat 4 System Network Connections Discovery
S0097 Ping 2 Remote System Discovery
S0378 PoshC2 5 Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation Create Process with Token:Access Token Manipulation Local Account:Account Discovery Domain Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Automated Collection Brute Force Credentials from Password Stores Domain Trust Discovery Windows Management Instrumentation Event Subscription:Event Triggered Execution Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Keylogging:Input Capture Network Service Discovery Network Sniffing LSASS Memory:OS Credential Dumping Password Policy Discovery Local Groups:Permission Groups Discovery Process Injection Proxy System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Credentials In Files:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Windows Management Instrumentation
S1019 Shark 41 Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Data from Local System Data Staged Deobfuscate/Decode Files or Information Domain Generation Algorithms:Dynamic Resolution Exfiltration Over C2 Channel Fallback Channels File Deletion:Indicator Removal Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Obfuscated Files or Information Query Registry Scheduled Transfer System Information Discovery System Checks:Virtualization/Sandbox Evasion

References

  1. Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022. 

  2. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. 

  3. Dragos. (n.d.). Hexane. Retrieved October 27, 2019. 

  4. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. 

  5. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19  

  6. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022. 

  7. Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022.