Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
ClearSky discovered a new malware associated with the Iranian SiameseKitten (Lyceum) group with medium-high confidence. The file is downloaded from a domain registered on June 6th, and it communicates with a previously unknown command and control server whose IP address is adjacent to that of the domain. This indicates an attacker-controlled at least two IP’s on the same range.
The file was identified as a Lyceum software. Their flagship campaign of the same name has been detected in the past, but its purpose has not been definitively established and the affected platforms were generally unknown.
The bulk of this particular malicious file is written in C++ and it uses JScript for some functionality, which indicates an online-based threat. The malware moves and joins files on a local drive, deletes files and creates new ones in .filelist to facilitate downloading of additional files from an external server. The encryption algorithm used is XOR with a 128-bit key value that is constant throughout the infection process.
The malware is spread through spam e-mail messages that contain a malicious attachment, which once executed drops an encrypted executable onto the compromised machine. The file downloads additional components and connects to the command and control server to receive specific orders.
This downloader has been initially discovered on May 12th, but it appears that the campaign is quite recent. We were able to identify more than 300 different IP’s associated with compromised computers during our investigation. These IP’s were located in Europe, Middle East and Asia, but they were concentrated in a few large ISPs in those regions.