HEXANE

HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.[1][2][3][4]

ID: G1001
Associated Groups: Lyceum, Siamesekitten, Spirlin
Contributors: Dragos Threat Intelligence; Mindaugas Gudzis, BT Security
Version: 2.1
Created: 17 October 2018
Last Modified: 22 March 2023

Associated Group Descriptions

Name Description
Lyceum

[5]

Siamesekitten

[3]

Spirlin

[4]

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

HEXANE has registered and operated domains for campaigns, often using a security or web technology theme or impersonating the targeted organization.[5][1][3]

.002 Acquire Infrastructure: DNS Server

HEXANE has set up custom DNS servers to send commands to compromised hosts via TXT records.[6]

Enterprise T1010 Application Window Discovery

HEXANE has used a PowerShell-based keylogging tool to capture the window title.[5]

Enterprise T1110 Brute Force

HEXANE has used brute force attacks to compromise valid credentials.[5]

.003 Password Spraying

HEXANE has used password spraying attacks to obtain valid credentials.[5]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

HEXANE has used PowerShell-based tools and scripts for discovery and collection on compromised hosts.[5][7][2]

.005 Command and Scripting Interpreter: Visual Basic

HEXANE has used a VisualBasic script named MicrosoftUpdator.vbs for execution of a PowerShell keylogger.[2]

Enterprise T1586 .002 Compromise Accounts: Email Accounts

HEXANE has used compromised accounts to send spearphishing emails.[5]

Enterprise T1555 Credentials from Password Stores

HEXANE has run cmdkey on victim machines to identify stored credentials.[2]

.003 Credentials from Web Browsers

HEXANE has used a Mimikatz-based tool and a PowerShell script to steal passwords from Google Chrome.[2]

Enterprise T1585 .001 Establish Accounts: Social Media Accounts

HEXANE has established fraudulent LinkedIn accounts impersonating HR department employees to target potential victims with fake job offers.[3]

.002 Establish Accounts: Email Accounts

HEXANE has established email accounts for use in domain registration including for ProtonMail addresses.[2]

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

HEXANE has used cloud services, including OneDrive, for data exfiltration.[8]

Enterprise T1589 Gather Victim Identity Information

HEXANE has identified specific potential victims at targeted organizations.[3]

.002 Email Addresses

HEXANE has targeted executives, human resources staff, and IT personnel for spearphishing.[5][3]

Enterprise T1591 .004 Gather Victim Org Information: Identify Roles

HEXANE has identified executives, HR, and IT staff at victim organizations for further targeting.[5][3]

Enterprise T1105 Ingress Tool Transfer

HEXANE has downloaded additional payloads and malicious scripts onto a compromised host.[2]

Enterprise T1056 .001 Input Capture: Keylogging

HEXANE has used a PowerShell-based keylogger named kl.ps1.[5][2]

Enterprise T1534 Internal Spearphishing

HEXANE has conducted internal spearphishing attacks against executives, HR, and IT personnel to gain information and access.[5]

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

HEXANE has used Base64-encoded scripts.[2]

Enterprise T1588 .002 Obtain Capabilities: Tool

HEXANE has acquired, and sometimes customized, open source tools such as Mimikatz, Empire, VNC remote access software, and DIG.net.[2][5][6]

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

HEXANE has run net localgroup to enumerate local groups.[2]

Enterprise T1057 Process Discovery

HEXANE has enumerated processes on targeted systems.[2]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

HEXANE has used remote desktop sessions for lateral movement.[5]

Enterprise T1018 Remote System Discovery

HEXANE has used net view to enumerate domain machines.[2]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

HEXANE has used a scheduled task to establish persistence for a keylogger.[2]

Enterprise T1518 Software Discovery

HEXANE has enumerated programs installed on an infected machine.[2]

Enterprise T1608 .001 Stage Capabilities: Upload Malware

HEXANE has staged malware on fraudulent websites set up to impersonate targeted organizations.[3]

Enterprise T1082 System Information Discovery

HEXANE has collected the hostname of a compromised machine.[2]

Enterprise T1016 System Network Configuration Discovery

HEXANE has used Ping and tracert for network discovery.[2]

.001 Internet Connection Discovery

HEXANE has used tools including BITSAdmin to test internet connectivity from compromised hosts.[2]

Enterprise T1049 System Network Connections Discovery

HEXANE has used netstat to monitor connections to specific ports.[2]

Enterprise T1033 System Owner/User Discovery

HEXANE has run whoami on compromised machines to identify the current user.[2]

Enterprise T1204 .002 User Execution: Malicious File

HEXANE has relied on victim's executing malicious file attachments delivered via email or embedded within actor-controlled websites to deliver malware.[5][1][3][6]

Enterprise T1102 .002 Web Service: Bidirectional Communication

HEXANE has used cloud services, including OneDrive, for C2.[8]

Software

ID Name References Techniques
S0190 BITSAdmin [2] BITS Jobs, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, Lateral Tool Transfer
S1014 DanBot [5] Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Deobfuscate/Decode Files or Information, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information, Phishing: Spearphishing Attachment, Remote Services: VNC, Scheduled Task/Job: Scheduled Task, User Execution: Malicious File
S1021 DnsSystem [6] Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Data from Local System, Exfiltration Over C2 Channel, Ingress Tool Transfer, System Owner/User Discovery, User Execution: Malicious File
S0363 Empire [5] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Automated Collection, Automated Exfiltration, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Browser Information Discovery, Clipboard Data, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Code Repository, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Dylib Hijacking, Hijack Execution Flow: DLL Search Order Hijacking, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Native API, Network Service Discovery, Network Share Discovery, Network Sniffing, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0100 ipconfig [3][6] System Network Configuration Discovery
S1020 Kevin [2] Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Junk Data, Data Staged, Data Transfer Size Limits, Exfiltration Over C2 Channel, Fallback Channels, Hide Artifacts: Hidden Window, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Rename System Utilities, Native API, Obfuscated Files or Information, Protocol Tunneling, System Information Discovery, System Network Configuration Discovery, Virtualization/Sandbox Evasion
S1015 Milan [2][4] Account Discovery: Local Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Data Staged: Local Data Staging, Dynamic Resolution: Domain Generation Algorithms, Indicator Removal: File Deletion, Ingress Tool Transfer, Inter-Process Communication: Component Object Model, Masquerading, Masquerading: Double File Extension, Native API, Obfuscated Files or Information, Protocol Tunneling, Query Registry, Scheduled Task/Job: Scheduled Task, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0002 Mimikatz [2] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0104 netstat [2] System Network Connections Discovery
S0097 Ping [3] Remote System Discovery
S0378 PoshC2 [5] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Create Process with Token, Access Token Manipulation, Account Discovery: Local Account, Account Discovery: Domain Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Automated Collection, Brute Force, Credentials from Password Stores, Domain Trust Discovery, Event Triggered Execution: Windows Management Instrumentation Event Subscription, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Input Capture: Keylogging, Network Service Discovery, Network Sniffing, OS Credential Dumping: LSASS Memory, Password Policy Discovery, Permission Groups Discovery: Local Groups, Process Injection, Proxy, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Unsecured Credentials: Credentials In Files, Use Alternate Authentication Material: Pass the Hash, Windows Management Instrumentation
S1019 Shark [2][4] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Data Staged, Deobfuscate/Decode Files or Information, Dynamic Resolution: Domain Generation Algorithms, Exfiltration Over C2 Channel, Fallback Channels, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information, Query Registry, Scheduled Transfer, System Information Discovery, Virtualization/Sandbox Evasion: System Checks

References