Lyceum is an APT group mostly active in the middle east, targeting energy and telecommunication sectors. The Gatewatcher purple team analyzed a Lyceum sample to improve the detection of this APT group. The following document describes the packing process, the trojan communications, and provides Suricata rules to detect it.
1 Packing
Figure 1: Lyceum packing process
1.1 RAR unpacking
The jre-update.exe file is a simple RAR archive, which extracts 2 files in %temp%\RarSFX0 :
- a .NET executable file, named exe;
- a JPG image named jpg, which is a simple blue square on a black background.
Once extracted, p54.exe is executed, and requests and elevation (the UAC shows up) as indicated in its manifest:
<requestedPrivileges xmlns=”urn:schemas-microsoft-com:asm.v3″>
<requestedExecutionLevel level=”requireAdministrator” uiAccess=”false” />
</requestedPrivileges>
1.2 p54.exe
1.2.1 Obfuscation
This is a .NET executable, with very little obfuscation: the functions and variable names have not been tampered with (Figure 2), but the instruction pointer has been virtualized (Figure 3).
Figure 2 : View of p54.exe content : the names have not been obfuscated
Figure 3 : Obfuscation of the instruction pointer
Each line of the original source code has been placed in an Action object. All the Action objects are then ordered in an array and executed in the array order. Actions can be placed at arbitrary index in the array (function SetMC) and the execution can jump to any index (function SetC) to simulate an if condition for example.
Figure 4 : Depending on the thrd_A._cccc value, the execution jumps at different addresses (switch block)
1.2.2 Extracting data from the JPG file
The JPG file is composed of 3 concatenated parts:
- the JPG image data (7372B);
- the Lyceum payload (1 byte for the XOR key, and 67072B for the file data);
- a JAVA exe file signed by oracle (1 byte for the key, and 2251520B for the file data).
The 2 exe files are encrypted with a simple XOR, using as key a byte placed before their data. The Lyceum payload is saved in ..\bosst.exe (relative path from p54.exe), and the JAVA file is saved in ..\tecbo53\<Datetime.Now.Ticks>.exe (also relative to p54.exe). Both of them are executed and p54.exe exits.
It is also worth mentioning that a password like string is created char by char, but never used: “bfTruaqwlyEIR”.
2 Lyceum payload
The Lyceum payload is also a 64 bits .NET executable, originally named r27358.exe (according to the metadata), also demanding a privilege escalation through the UAC, and with the same obfuscation as the p54.exe packer. It’s a simple trojan with basic functionalities: commands are sent in clear text, there is no persistence functionality and no stealth technique employed. It seems to act as a first stage of infection and can be used to upload further malwares on the infected computer.
2.1 C2 server
The Command and Control (C2) server address and port are hardcoded:
Figure 5 : Hardcoded C2 informations
The C2 IP (185.243.112.136) is an ISP address located in the Netherlands and the 2 C2 ports were not available anymore at the time of this analysis. An SSH server on port 22 has been running according to Shodan (and is still working), with an Ubuntu header. Shodan also returns the DNS name restrain-plinths.technolgypro.com, but it is not resolved anymore. This name is confirmed by the following page https://bgp.he.net/net/185.243.112.0/24#_dns:
Figure 6 : Table of DNS names associated to the full IP range
There is no indication of the age of the DNS entry, when it was created and removed.
2.2 Network protocol
The port 6500 is used for a custom text protocol, based on request / response issued by the C2.
The C2 messages follow the following format:
- the command number (ASCII);
- a “|” character;
- The command parameters, separated by “|”, encoded in base64.
Each commands have their own parameters, but all of them take as first parameter a token, sent back in the response, named adm_token in the code.
The response format (all messages sent by the malware to its C2) follows the same principle:
- each message start with a “#” character;
- an ASCII int indicate the type of message (the same as the command in most cases);
- a “|” char;
- the adm_token from the request;
- a “|”;
- in most cases, the results base64 encoded, separated by “|” chars when needed. The exact format varies;
- A “#” char ends the message.
The malware sends the first message, with a type 1, without adm_token, and as payload a token and the file path, as seen below:
Figure 7 : fields of the first message
Then the command list and their response are as follow:
- 100000 : list a directory content, and get the files sizes;
- 110000 : delete a file;
- 120000 : create a process (no command line arguments);
- 130000 : upload a file to the C2;
- 140000 : delete a directory recursively;
- 150000 : create a directory;
- 160000 : download a file to a location;
- 200000 : start a cmd.exe subprocess, its standard output will generate responses with code 210000;
- 220000 : closes the subprocess;
- 230000 : execute a command in the subprocess;
- 300000 : list installed software based on the registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
- 400000 : takes a screenshot and upload it
For every query of the C2, the malware responds with a message with the same code. The only exception is the type 210000 message, with a command output: it can be sent anytime, when the command output arrives (execution in a separate thread).
The upload for the 130000 and 400000 commands (upload and screenshot) is done through https on port 6501 (as seen in the Figure 5 before), using a named “vic” parameter for the adm_token.
2.3 TTPs
T1027 (Obfuscated Files or Information)
T1027.002 (Obfuscated Files or Information: Software Packing)
T1012 (Query Registry)
T1059 (Command and Scripting Interpreter)
T1518 (Software Discovery)
T1571 (Non-Standard Port)
3 Detection
3.1 Antivirus signatures
The 3 executables files are detected by virus total as malicious:
Figure 8 : Virus Total analysis score for the initial jre-update.exe file, p54.exe file, and the payload bosst.exe
They are also recognized by Malcore (one of the detection engines inside the Gatewatcher GCENTER product) as Backdoor.MSIL or Backdoor.MSIL.Agent:
Figure 9 : Malcore detection
3.2 Network signature
As of 09/01/2022, a single ET Pro Suricata rule (2037018) matches the traffic from Lyceum:
09/01/2022-15:03:51.245758 [**] [1:2037018:1] ET TROJAN Base64 Encoded Windows Command Prompt (Outbound) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.1.1.2:64449 -> 185.243.112.136:6500
It matches samples commands sent in base64 in our test (commands type 230000). If this command is not used, there is no detection of the traffic with the C2.
We propose the following rule to match the first message sent by the payload to the C2 (type 1), based on its format:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”LYCEUM TROJAN First message to C2 server “; flow:established,to_server; content:”|23|1|7c|”; offset:0; depth: 3; pcre:”/[a-zA-Z0-9/+]+={0,2}#/R”; classtype:trojan-activity; sid:1000001; rev:1; metadata:attack_target Client_Endpoint;);
3.3 IOC
Process: %Temp%\bosst.exe
Network: 185.243.112.136 port 6500 (custom text based protocol) and 6501 (https)
4 Samples metadata
4.1 Jre-updater.exe:
SHA2: 1e6d7fa1c7a17d4bc9fc939132347ed9d4df4628bfcaa7539d757218ed0b87ff
SHA1: d8883fc5c87858c484753fcefa1d4b37032c2fa3
MD5: 3e4a66543f7f858579f153c2c5117b51
PE Timestamp: 06/25/2020 03:38:26 (0x5ef47ea2)
4.2 p54.exe:
SHA2: 6fdeb70b8507ac7510497a48590d3f66e0121025951c47b135aec22db1e1cbdd
SHA1: f09cf6cdb7e759e8203d78061aa4abc650b27119
MD5: cbae69580e563b76518395fc4c987b9d
PE Timestamp: 08/24/2022 08:08:33 (0x63063ef1)
.NET module name: p54
.NET module version: 3.0.3.4
4.3 bosst.exe:
SHA2: d014e31b3d973efbc3f62316e5c59cc92e6c3dd0003f0af511fd40ef30273a0b
SHA1: 95179bfe582fc3f30c27e16f590aa51e7fbe85c5
MD5: f6801f404ed3cf7e242990d4e4b0b6ef
PE Timestamp: 08/24/2022 08:08:33 (0x63063ef1)
.NET module name: r27358
.NET module version: 31.53.858.8
Author: Jérémy BEAUME