Skip to content

G1001 HEXANE

HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE’s TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.3421

Item Value
ID G1001
Associated Names Lyceum, Siamesekitten, Spirlin
Version 2.3
Created 17 October 2018
Last Modified 14 August 2024
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Lyceum 5
Siamesekitten 2
Spirlin 1

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation -
enterprise T1134.001 Token Impersonation/Theft During HomeLand Justice, threat actors used custom tooling to acquire tokens using ImpersonateLoggedOnUser/SetThreadToken.11
enterprise T1087 Account Discovery -
enterprise T1087.003 Email Account During HomeLand Justice, threat actors used compromised Exchange accounts to search mailboxes for administrator accounts.9
enterprise T1098 Account Manipulation -
enterprise T1098.002 Additional Email Delegate Permissions During HomeLand Justice, threat actors added the ApplicationImpersonation management role to accounts under their control to impersonate users and take ownership of targeted mailboxes.11
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains HEXANE has registered and operated domains for campaigns, often using a security or web technology theme or impersonating the targeted organization.532
enterprise T1583.002 DNS Server HEXANE has set up custom DNS servers to send commands to compromised hosts via TXT records.6
enterprise T1010 Application Window Discovery HEXANE has used a PowerShell-based keylogging tool to capture the window title.5
enterprise T1110 Brute Force HEXANE has used brute force attacks to compromise valid credentials.5
enterprise T1110.003 Password Spraying HEXANE has used password spraying attacks to obtain valid credentials.5
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell HEXANE has used PowerShell-based tools and scripts for discovery and collection on compromised hosts.584
enterprise T1059.003 Windows Command Shell During HomeLand Justice, threat actors used Windows batch files for persistence and execution.911
enterprise T1059.005 Visual Basic HEXANE has used a VisualBasic script named MicrosoftUpdator.vbs for execution of a PowerShell keylogger.4
enterprise T1586 Compromise Accounts -
enterprise T1586.002 Email Accounts HEXANE has used compromised accounts to send spearphishing emails.5
enterprise T1555 Credentials from Password Stores HEXANE has run cmdkey on victim machines to identify stored credentials.4
enterprise T1555.003 Credentials from Web Browsers HEXANE has used a Mimikatz-based tool and a PowerShell script to steal passwords from Google Chrome.4
enterprise T1486 Data Encrypted for Impact During HomeLand Justice, threat actors used ROADSWEEP ransomware to encrypt files on targeted systems.10911
enterprise T1561 Disk Wipe -
enterprise T1561.002 Disk Structure Wipe During HomeLand Justice, threat actors used a version of ZeroCleare to wipe disk drives on targeted hosts.911
enterprise T1114 Email Collection -
enterprise T1114.002 Remote Email Collection During HomeLand Justice, threat actors made multiple HTTP POST requests to the Exchange servers of the victim organization to transfer data.9
enterprise T1585 Establish Accounts -
enterprise T1585.001 Social Media Accounts HEXANE has established fraudulent LinkedIn accounts impersonating HR department employees to target potential victims with fake job offers.2
enterprise T1585.002 Email Accounts HEXANE has established email accounts for use in domain registration including for ProtonMail addresses.4
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription HEXANE has used WMI event subscriptions for persistence.4
enterprise T1041 Exfiltration Over C2 Channel During HomeLand Justice, threat actors used HTTP to transfer data from compromised Exchange servers.9
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage HEXANE has used cloud services, including OneDrive, for data exfiltration.7
enterprise T1190 Exploit Public-Facing Application For HomeLand Justice, threat actors exploited CVE-2019-0604 in Microsoft SharePoint for initial access.9
enterprise T1589 Gather Victim Identity Information HEXANE has identified specific potential victims at targeted organizations.2
enterprise T1589.002 Email Addresses HEXANE has targeted executives, human resources staff, and IT personnel for spearphishing.52
enterprise T1591 Gather Victim Org Information -
enterprise T1591.004 Identify Roles HEXANE has identified executives, HR, and IT staff at victim organizations for further targeting.52
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools During HomeLand Justice, threat actors modified and disabled components of endpoint detection and response (EDR) solutions including Microsoft Defender Antivirus.11
enterprise T1562.002 Disable Windows Event Logging During HomeLand Justice, threat actors deleted Windows events and application logs.11
enterprise T1105 Ingress Tool Transfer HEXANE has downloaded additional payloads and malicious scripts onto a compromised host.4
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging HEXANE has used a PowerShell-based keylogger named kl.ps1.54
enterprise T1534 Internal Spearphishing HEXANE has conducted internal spearphishing attacks against executives, HR, and IT personnel to gain information and access.5
enterprise T1570 Lateral Tool Transfer During HomeLand Justice, threat actors initiated a process named Mellona.exe to spread the ROADSWEEP file encryptor and a persistence script to a list of internal machines.9
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Resource Name or Location During HomeLand Justice, threat actors renamed ROADSWEEP to GoXML.exe and ZeroCleare to cl.exe.910
enterprise T1046 Network Service Discovery During HomeLand Justice, threat actors executed the Advanced Port Scanner tool on compromised systems.911
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation HEXANE has used Base64-encoded scripts.4
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool HEXANE has acquired, and sometimes customized, open source tools such as Mimikatz, Empire, VNC remote access software, and DIG.net.456
enterprise T1588.003 Code Signing Certificates During HomeLand Justice, threat actors used tools with legitimate code signing certificates. 9
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory During HomeLand Justice, threat actors dumped LSASS memory on compromised hosts.9
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups HEXANE has run net localgroup to enumerate local groups.4
enterprise T1057 Process Discovery HEXANE has enumerated processes on targeted systems.4
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol HEXANE has used remote desktop sessions for lateral movement.5
enterprise T1021.002 SMB/Windows Admin Shares During HomeLand Justice, threat actors used SMB for lateral movement.911
enterprise T1018 Remote System Discovery HEXANE has used net view to enumerate domain machines.4
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task HEXANE has used a scheduled task to establish persistence for a keylogger.4
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell For HomeLand Justice, threat actors used .aspx webshells named pickers.aspx, error4.aspx, and ClientBin.aspx, to maintain persistence.911
enterprise T1518 Software Discovery HEXANE has enumerated programs installed on an infected machine.4
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware HEXANE has staged malware on fraudulent websites set up to impersonate targeted organizations.2
enterprise T1082 System Information Discovery HEXANE has collected the hostname of a compromised machine.4
enterprise T1016 System Network Configuration Discovery HEXANE has used Ping and tracert for network discovery.4
enterprise T1016.001 Internet Connection Discovery HEXANE has used tools including BITSAdmin to test internet connectivity from compromised hosts.4
enterprise T1049 System Network Connections Discovery HEXANE has used netstat to monitor connections to specific ports.4
enterprise T1033 System Owner/User Discovery HEXANE has run whoami on compromised machines to identify the current user.4
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File HEXANE has relied on victim’s executing malicious file attachments delivered via email or embedded within actor-controlled websites to deliver malware.5326
enterprise T1078 Valid Accounts During HomeLand Justice, threat actors used a compromised Exchange account to search mailboxes and create new Exchange accounts.9
enterprise T1078.001 Default Accounts During HomeLand Justice, threat actors used the built-in administrator account to move laterally using RDP and Impacket.11
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication HEXANE has used cloud services, including OneDrive, for C2.7
enterprise T1047 Windows Management Instrumentation During HomeLand Justice, threat actors used WMI to modify Windows Defender settings.11

Software

ID Name References Techniques
S0190 BITSAdmin 4 BITS Jobs Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Lateral Tool Transfer
S1149 CHIMNEYSWEEP 10 Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Clipboard Data Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Non-Standard Encoding:Data Encoding Data from Local System Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Execution Guardrails Exfiltration Over C2 Channel File and Directory Discovery Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Obfuscated Files or Information Embedded Payloads:Obfuscated Files or Information Binary Padding:Obfuscated Files or Information Dynamic API Resolution:Obfuscated Files or Information Peripheral Device Discovery Process Discovery Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Code Signing:Subvert Trust Controls CMSTP:System Binary Proxy Execution System Owner/User Discovery System Shutdown/Reboot Web Service
S1014 DanBot 5 DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Visual Basic:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Data from Local System Deobfuscate/Decode Files or Information File Deletion:Indicator Removal Ingress Tool Transfer Match Legitimate Resource Name or Location:Masquerading Encrypted/Encoded File:Obfuscated Files or Information Spearphishing Attachment:Phishing VNC:Remote Services Scheduled Task:Scheduled Task/Job Malicious File:User Execution
S1021 DnsSystem 6 DNS:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Exfiltration Over C2 Channel Ingress Tool Transfer System Owner/User Discovery Malicious File:User Execution
S0363 Empire 5 Bypass User Account Control:Abuse Elevation Control Mechanism SID-History Injection:Access Token Manipulation Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Security Support Provider:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Shortcut Modification:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Command and Scripting Interpreter Local Account:Create Account Domain Account:Create Account Windows Service:Create or Modify System Process Keychain:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain or Tenant Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Code Repository:Exfiltration Over Web Service Exfiltration to Cloud Storage:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Unquoted Path:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow DLL:Hijack Execution Flow Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Kerberoasting:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0095 ftp 9 Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Lateral Tool Transfer
S0357 Impacket 11 LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Lateral Tool Transfer Network Sniffing NTDS:OS Credential Dumping LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Kerberoasting:Steal or Forge Kerberos Tickets Ccache Files:Steal or Forge Kerberos Tickets Service Execution:System Services Windows Management Instrumentation
S0100 ipconfig 26 System Network Configuration Discovery
S1020 Kevin 4 DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Junk Data:Data Obfuscation Data Staged Data Transfer Size Limits Windows Management Instrumentation Event Subscription:Event Triggered Execution Exfiltration Over C2 Channel Fallback Channels Hidden Window:Hide Artifacts File Deletion:Indicator Removal Ingress Tool Transfer Rename Legitimate Utilities:Masquerading Native API Encrypted/Encoded File:Obfuscated Files or Information Protocol Tunneling System Information Discovery System Network Configuration Discovery Virtualization/Sandbox Evasion
S1015 Milan 41 Local Account:Account Discovery DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Data from Local System Local Data Staging:Data Staged Domain Generation Algorithms:Dynamic Resolution File Deletion:Indicator Removal Ingress Tool Transfer Component Object Model:Inter-Process Communication Masquerading Double File Extension:Masquerading Native API Encrypted/Encoded File:Obfuscated Files or Information Protocol Tunneling Query Registry Scheduled Task:Scheduled Task/Job System Information Discovery System Network Configuration Discovery System Owner/User Discovery
S0002 Mimikatz 4 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Golden Ticket:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0104 netstat 4 System Network Connections Discovery
S0097 Ping 2 Remote System Discovery
S0378 PoshC2 5 Bypass User Account Control:Abuse Elevation Control Mechanism Create Process with Token:Access Token Manipulation Access Token Manipulation Local Account:Account Discovery Domain Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Automated Collection Brute Force Credentials from Password Stores Domain Trust Discovery Windows Management Instrumentation Event Subscription:Event Triggered Execution Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Keylogging:Input Capture Network Service Discovery Network Sniffing LSASS Memory:OS Credential Dumping Password Policy Discovery Local Groups:Permission Groups Discovery Process Injection Proxy System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Credentials In Files:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Windows Management Instrumentation
S0364 RawDisk 911 Data Destruction Disk Structure Wipe:Disk Wipe Disk Content Wipe:Disk Wipe
S1150 ROADSWEEP 10 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Data Encrypted for Impact Internal Defacement:Defacement Deobfuscate/Decode Files or Information Execution Guardrails File and Directory Discovery File Deletion:Indicator Removal Inhibit System Recovery Inter-Process Communication Local Storage Discovery Encrypted/Encoded File:Obfuscated Files or Information Peripheral Device Discovery Service Stop Code Signing:Subvert Trust Controls
S1019 Shark 41 Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Data from Local System Data Staged Deobfuscate/Decode Files or Information Domain Generation Algorithms:Dynamic Resolution Exfiltration Over C2 Channel Fallback Channels File Deletion:Indicator Removal Ingress Tool Transfer Match Legitimate Resource Name or Location:Masquerading Encrypted/Encoded File:Obfuscated Files or Information Query Registry Scheduled Transfer System Information Discovery System Checks:Virtualization/Sandbox Evasion
S1151 ZeroCleare 911 Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Disk Structure Wipe:Disk Wipe Exploitation for Privilege Escalation File Deletion:Indicator Removal Local Storage Discovery Native API Code Signing:Subvert Trust Controls

References

  1. Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022. 

  2. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. 

  3. Dragos. (n.d.). Hexane. Retrieved October 27, 2019. 

  4. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. 

  5. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19  

  6. Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022. 

  7. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022. 

  8. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024. 

  9. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. 

  10. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.