Lyceum

Lyceum, also known as DEV-0133 and potentially linked to the OilRig group (aka APT34, Helix Kitten, Cobalt Gypsym, Crambus, or Siamesekitten), is a threat actor believed to be a Farsi-speaking entity active since 2018. It is suspected to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS), joining other MOIS-affiliated clusters like OilRig, Agrius, and Scarred Manticore. The group has been observed by cybersecurity researchers targeting critical infrastructure organizations undetected for over a year, demonstrating capabilities similar to other threat groups. Notably, Lyceum has developed a .NET based DNS Backdoor, which has been used extensively in their recent campaigns. The Lyceum Group has shown sophistication in its operations, utilizing cloud services such as OneDrive for command and control (C2) and data exfiltration purposes. Further analysis of their backdoor revealed that it can perform three functions depending on the command received from the C2 server. In addition, the group has customized an open source tool, Dig.Net, to develop their .NET based DNS backdoor, as evidenced by comparing the Digit Resolver Code DigIt() function strings with the Dig.Net tool output. Recently, Zscaler ThreatLabz observed a new campaign where Lyceum was deploying newly developed and customized .NET-based malware targeting the Middle East. This malware was found to be copying the underlying code from an open source tool. Moreover, the OilRig group, which may be associated with Lyceum, has developed four specific new downloaders — SampleCheck5000 (SC5k v1-v3), ODAgent, OilCheck, and OilBooster — in the past year, adding to an already extensive arsenal of custom malware. These actions demonstrate Lyceum's ongoing threat and the need for robust cybersecurity measures.