1. Home
  2. Groups
  3. HEXANE

HEXANE

HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.[1][2][3][4]

ID: G1001
Associated Groups: Lyceum, Siamesekitten, Spirlin
Contributors: Dragos Threat Intelligence; Mindaugas Gudzis, BT Security
Version: 2.3
Created: 17 October 2018
Last Modified: 14 August 2024

Associated Group Descriptions

Name Description
Lyceum

[5]
Siamesekitten

[3]
Spirlin

[4]

Campaigns

ID Name First Seen Last Seen References Techniques
C0038 HomeLand Justice May 2021 [6][7][8] September 2022 [8]

HEXANE probed victim infrastructure in support of HomeLand Justice.[7]

 Windows管理规范, 伪装: Match Legitimate Name or Location, 利用公开应用程序漏洞, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 妨碍防御: Disable or Modify Tools, 妨碍防御: Disable Windows Event Logging, 操作系统凭证转储: LSASS Memory, 数据加密以实现影响, 有效账户: Default Accounts, 有效账户, 服务器软件组件: Web Shell, 横向工具传输, 电子邮件收集: Remote Email Collection, 磁盘擦除: Disk Structure Wipe, 网络服务发现, 获取能力: Code Signing Certificates, 获取能力: Tool, 访问令牌操控: Token Impersonation/Theft, 账号发现: Email Account, 账号操控: Additional Email Delegate Permissions, 输入工具传输, 远程服务: Remote Desktop Protocol, 远程服务: SMB/Windows Admin Shares, 通过C2信道渗出
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

During HomeLand Justice, threat actors used WMI to modify Windows Defender settings.[7]
Enterprise T1546 .003 事件触发执行: Windows Management Instrumentation Event Subscription

HEXANE has used WMI event subscriptions for persistence.[2]
Enterprise T1555 从密码存储中获取凭证

HEXANE has run cmdkey on victim machines to identify stored credentials.[2]
.003 Credentials from Web Browsers

HEXANE has used a Mimikatz-based tool and a PowerShell script to steal passwords from Google Chrome.[2]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

During HomeLand Justice, threat actors renamed ROADSWEEP to GoXML.exe and ZeroCleare to cl.exe.[8][6]
Enterprise T1534 内部鱼叉式钓鱼

HEXANE has conducted internal spearphishing attacks against executives, HR, and IT personnel to gain information and access.[5]
Enterprise T1190 利用公开应用程序漏洞

For HomeLand Justice, threat actors exploited CVE-2019-0604 in Microsoft SharePoint for initial access.[8]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

HEXANE has used PowerShell-based tools and scripts for discovery and collection on compromised hosts.[5][9][2]

During HomeLand Justice, threat actors used PowerShell cmdlets New-MailboxSearch and Get-Recipient for discovery.[8][7]
.003 命令与脚本解释器: Windows Command Shell

During HomeLand Justice, threat actors used Windows batch files for persistence and execution.[8][7]
.005 命令与脚本解释器: Visual Basic

HEXANE has used a VisualBasic script named MicrosoftUpdator.vbs for execution of a PowerShell keylogger.[2]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

During HomeLand Justice, threat actors modified and disabled components of endpoint detection and response (EDR) solutions including Microsoft Defender Antivirus.[7]
.002 妨碍防御: Disable Windows Event Logging

During HomeLand Justice, threat actors deleted Windows events and application logs.[7]
Enterprise T1010 应用窗口发现

HEXANE has used a PowerShell-based keylogging tool to capture the window title.[5]
Enterprise T1585 .001 建立账户: Social Media Accounts

HEXANE has established fraudulent LinkedIn accounts impersonating HR department employees to target potential victims with fake job offers.[3]
.002 建立账户: Email Accounts

HEXANE has established email accounts for use in domain registration including for ProtonMail addresses.[2]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

During HomeLand Justice, threat actors dumped LSASS memory on compromised hosts.[8]
Enterprise T1591 .004 收集受害者组织信息: Identify Roles

HEXANE has identified executives, HR, and IT staff at victim organizations for further targeting.[5][3]
Enterprise T1589 收集受害者身份信息

HEXANE has identified specific potential victims at targeted organizations.[3]
.002 Email Addresses

HEXANE has targeted executives, human resources staff, and IT personnel for spearphishing.[5][3]
Enterprise T1486 数据加密以实现影响

During HomeLand Justice, threat actors used ROADSWEEP ransomware to encrypt files on targeted systems.[6][8][7]
Enterprise T1608 .001 暂存能力: Upload Malware

HEXANE has staged malware on fraudulent websites set up to impersonate targeted organizations.[3]
Enterprise T1110 暴力破解

HEXANE has used brute force attacks to compromise valid credentials.[5]
.003 Password Spraying

HEXANE has used password spraying attacks to obtain valid credentials.[5]
Enterprise T1078 .001 有效账户: Default Accounts

During HomeLand Justice, threat actors used the built-in administrator account to move laterally using RDP and Impacket.[7]
Enterprise T1505 .003 服务器软件组件: Web Shell

For HomeLand Justice, threat actors used .aspx webshells named pickers.aspx, error4.aspx, and ClientBin.aspx, to maintain persistence.[8][7]
Enterprise T1069 .001 权限组发现: Local Groups

HEXANE has run net localgroup to enumerate local groups.[2]
Enterprise T1570 横向工具传输

During HomeLand Justice, threat actors initiated a process named Mellona.exe to spread the ROADSWEEP file encryptor and a persistence script to a list of internal machines.[8]
Enterprise T1027 .010 混淆文件或信息: Command Obfuscation

HEXANE has used Base64-encoded scripts.[2]
Enterprise T1204 .002 用户执行: Malicious File

HEXANE has relied on victim's executing malicious file attachments delivered via email or embedded within actor-controlled websites to deliver malware.[5][1][3][10]
Enterprise T1114 .002 电子邮件收集: Remote Email Collection

During HomeLand Justice, threat actors made multiple HTTP POST requests to the Exchange servers of the victim organization to transfer data.[8]
Enterprise T1561 .002 磁盘擦除: Disk Structure Wipe

During HomeLand Justice, threat actors used a version of ZeroCleare to wipe disk drives on targeted hosts.[8][7]
Enterprise T1082 系统信息发现

HEXANE has collected the hostname of a compromised machine.[2]
Enterprise T1033 系统所有者/用户发现

HEXANE has run whoami on compromised machines to identify the current user.[2]
Enterprise T1049 系统网络连接发现

HEXANE has used netstat to monitor connections to specific ports.[2]
Enterprise T1016 系统网络配置发现

HEXANE has used Ping and tracert for network discovery.[2]
.001 Internet Connection Discovery

HEXANE has used tools including BITSAdmin to test internet connectivity from compromised hosts.[2]
Enterprise T1102 .002 网络服务: Bidirectional Communication

HEXANE has used cloud services, including OneDrive, for C2.[11]
Enterprise T1046 网络服务发现

During HomeLand Justice, threat actors executed the Advanced Port Scanner tool on compromised systems.[8][7]
Enterprise T1583 .001 获取基础设施: Domains

HEXANE has registered and operated domains for campaigns, often using a security or web technology theme or impersonating the targeted organization.[5][1][3]
.002 获取基础设施: DNS Server

HEXANE has set up custom DNS servers to send commands to compromised hosts via TXT records.[10]
Enterprise T1588 .002 获取能力: Tool

HEXANE has acquired, and sometimes customized, open source tools such as Mimikatz, Empire, VNC remote access software, and DIG.net.[2][5][10]

During HomeLand Justice, threat actors used tools including Advanced Port Scanner, Mimikatz, and Impacket.[8][7]
.003 获取能力: Code Signing Certificates

During HomeLand Justice, threat actors used tools with legitimate code signing certificates. [8]
Enterprise T1134 .001 访问令牌操控: Token Impersonation/Theft

During HomeLand Justice, threat actors used custom tooling to acquire tokens using ImpersonateLoggedOnUser/SetThreadToken.[7]
Enterprise T1087 .003 账号发现: Email Account

During HomeLand Justice, threat actors used compromised Exchange accounts to search mailboxes for administrator accounts.[8]
Enterprise T1586 .002 账号妥协: Email Accounts

HEXANE has used compromised accounts to send spearphishing emails.[5]
Enterprise T1098 .002 账号操控: Additional Email Delegate Permissions

During HomeLand Justice, threat actors added the ApplicationImpersonation management role to accounts under their control to impersonate users and take ownership of targeted mailboxes.[7]
Enterprise T1518 软件发现

HEXANE has enumerated programs installed on an infected machine.[2]
Enterprise T1105 输入工具传输

HEXANE has downloaded additional payloads and malicious scripts onto a compromised host.[2]

During HomeLand Justice, threat actors used web shells to download files to compromised infrastructure.[7]
Enterprise T1056 .001 输入捕获: Keylogging

HEXANE has used a PowerShell-based keylogger named kl.ps1.[5][2]
Enterprise T1057 进程发现

HEXANE has enumerated processes on targeted systems.[2]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

HEXANE has used remote desktop sessions for lateral movement.[5]

During HomeLand Justice, threat actors primarily used RDP for lateral movement in the victim environment.[8][7]
.002 远程服务: SMB/Windows Admin Shares

During HomeLand Justice, threat actors used SMB for lateral movement.[8][7]
Enterprise T1018 远程系统发现

HEXANE has used net view to enumerate domain machines.[2]
Enterprise T1041 通过C2信道渗出

During HomeLand Justice, threat actors used HTTP to transfer data from compromised Exchange servers.[8]
Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

HEXANE has used cloud services, including OneDrive, for data exfiltration.[11]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

HEXANE has used a scheduled task to establish persistence for a keylogger.[2]

Software

ID Name References Techniques
S0190 BITSAdmin [2] BITS任务, 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol, 横向工具传输, 输入工具传输
S1149 CHIMNEYSWEEP [6] 从本地系统获取数据, 修改注册表, 剪贴板数据, 反混淆/解码文件或信息, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 外围设备发现, 屏幕捕获, 应用层协议: Web Protocols, 执行保护, 数据分段: Local Data Staging, 数据编码: Non-Standard Encoding, 文件和目录发现, 本机API, 混淆文件或信息, 混淆文件或信息: Embedded Payloads, 混淆文件或信息: Binary Padding, 混淆文件或信息: Dynamic API Resolution, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: CMSTP, 系统关机/重启, 系统所有者/用户发现, 网络服务, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 进程发现, 通过C2信道渗出, 预定任务/作业: Scheduled Task, 颠覆信任控制: Code Signing
S1014 DanBot [5] 从本地系统获取数据, 伪装: Match Legitimate Name or Location, 反混淆/解码文件或信息, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: Windows Command Shell, 应用层协议: DNS, 应用层协议: Web Protocols, 混淆文件或信息: Encrypted/Encoded File, 用户执行: Malicious File, 移除指标: File Deletion, 输入工具传输, 远程服务: VNC, 钓鱼: Spearphishing Attachment, 预定任务/作业: Scheduled Task
S1021 DnsSystem [10] 从本地系统获取数据, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 应用层协议: DNS, 数据编码: Standard Encoding, 用户执行: Malicious File, 系统所有者/用户发现, 输入工具传输, 通过C2信道渗出
S0363 Empire [5] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 事件触发执行: Accessibility Features, 从密码存储中获取凭证: Credentials from Web Browsers, 使用备用认证材料: Pass the Hash, 创建或修改系统进程: Windows Service, 创建账户: Local Account, 创建账户: Domain Account, 剪贴板数据, 加密通道: Asymmetric Cryptography, 劫持执行流: Path Interception by Unquoted Path, 劫持执行流: Path Interception by Search Order Hijacking, 劫持执行流: Path Interception by PATH Environment Variable, 劫持执行流: Dylib Hijacking, 劫持执行流: DLL Search Order Hijacking, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Security Support Provider, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Shortcut Modification, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器, 域信任发现, 域或租户策略修改: Group Policy Modification, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据, 操作系统凭证转储: LSASS Memory, 文件和目录发现, 未加密凭证: Credentials In Files, 未加密凭证: Private Keys, 本机API, 权限提升漏洞利用, 浏览器信息发现, 混淆文件或信息: Command Obfuscation, 滥用权限提升控制机制: Bypass User Account Control, 电子邮件收集: Local Email Collection, 移除指标: Timestomp, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统网络连接发现, 系统网络配置发现, 组策略发现, 网络共享发现, 网络嗅探, 网络服务: Bidirectional Communication, 网络服务发现, 自动化收集, 自动化渗出, 视频捕获, 访问令牌操控: SID-History Injection, 访问令牌操控, 访问令牌操控: Create Process with Token, 账号发现: Domain Account, 账号发现: Local Account, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 输入捕获: Credential API Hooking, 进程发现, 进程注入, 远程服务: Distributed Component Object Model, 远程服务: SSH, 远程服务漏洞利用, 通过C2信道渗出, 通过网络服务渗出: Exfiltration to Code Repository, 通过网络服务渗出: Exfiltration to Cloud Storage, 预定任务/作业: Scheduled Task
S0095 ftp [8] 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol, 横向工具传输, 输入工具传输
S0357 Impacket [7] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 操作系统凭证转储: NTDS, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSA Secrets, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Ccache Files, 系统服务: Service Execution, 网络嗅探
S0100 ipconfig [3][10] 系统网络配置发现
S1020 Kevin [2] 事件触发执行: Windows Management Instrumentation Event Subscription, 从本地系统获取数据, 伪装: Rename System Utilities, 协议隧道, 命令与脚本解释器: Windows Command Shell, 回退信道, 应用层协议: DNS, 应用层协议: Web Protocols, 数据传输大小限制, 数据分段, 数据混淆: Junk Data, 数据编码: Standard Encoding, 本机API, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 系统信息发现, 系统网络配置发现, 虚拟化/沙盒规避, 输入工具传输, 通过C2信道渗出, 隐藏伪装: Hidden Window
S1015 Milan [2][4] 从本地系统获取数据, 伪装, 伪装: Double File Extension, 动态解析: Domain Generation Algorithms, 协议隧道, 命令与脚本解释器: Windows Command Shell, 应用层协议: DNS, 应用层协议: Web Protocols, 数据分段: Local Data Staging, 本机API, 查询注册表, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 账号发现: Local Account, 输入工具传输, 进程间通信: Component Object Model, 预定任务/作业: Scheduled Task
S0002 Mimikatz [2] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0104 netstat [2] 系统网络连接发现
S0097 Ping [3] 远程系统发现
S0378 PoshC2 [5] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 事件触发执行: Windows Management Instrumentation Event Subscription, 从密码存储中获取凭证, 代理, 使用备用认证材料: Pass the Hash, 域信任发现, 密码策略发现, 应用层协议: Web Protocols, 归档收集数据: Archive via Utility, 操作系统凭证转储: LSASS Memory, 文件和目录发现, 暴力破解, 未加密凭证: Credentials In Files, 权限提升漏洞利用, 权限组发现: Local Groups, 滥用权限提升控制机制: Bypass User Account Control, 系统信息发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络嗅探, 网络服务发现, 自动化收集, 访问令牌操控: Create Process with Token, 访问令牌操控, 账号发现: Local Account, 账号发现: Domain Account, 输入捕获: Keylogging, 进程注入, 远程服务漏洞利用
S0364 RawDisk [8][7] 数据销毁, 磁盘擦除: Disk Structure Wipe, 磁盘擦除: Disk Content Wipe
S1150 ROADSWEEP [6] 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 外围设备发现, 执行保护, 数据加密以实现影响, 文件和目录发现, 服务停止, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 篡改: Internal Defacement, 系统信息发现, 系统恢复抑制, 进程间通信, 颠覆信任控制: Code Signing
S1019 Shark [2][4] 从本地系统获取数据, 伪装: Match Legitimate Name or Location, 动态解析: Domain Generation Algorithms, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 回退信道, 应用层协议: Web Protocols, 应用层协议: DNS, 数据分段, 查询注册表, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 系统信息发现, 虚拟化/沙盒规避: System Checks, 输入工具传输, 通过C2信道渗出, 预定传输
S1151 ZeroCleare [8][7] 命令与脚本解释器, 命令与脚本解释器: PowerShell, 本机API, 权限提升漏洞利用, 磁盘擦除: Disk Structure Wipe, 移除指标: File Deletion, 系统信息发现, 颠覆信任控制: Code Signing

References

  1. Dragos. (n.d.). Hexane. Retrieved October 27, 2019.
  2. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  3. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  4. Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
  5. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
  6. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  1. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
  2. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
  3. GReAT . (2021, April 27). APT trends report Q1 2021. Retrieved June 6, 2022.
  4. Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022.
  5. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.