HEXANE | APT Profile

Description

[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. [HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0064) and [OilRig](https://attack.mitre.org/groups/G0049) but due to differences in victims and tools it is tracked as a separate entity.(Citation: Dragos Hexane)(Citation: Kaspersky Lyceum October 2021)(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)

Techniques Used (TTPs)

T1016 — System Network Configuration Discovery (discovery)
T1555 — Credentials from Password Stores (credential-access)
T1027.010 — Command Obfuscation (defense-evasion)
T1589 — Gather Victim Identity Information (reconnaissance)
T1082 — System Information Discovery (discovery)
T1583.001 — Domains (resource-development)
T1110 — Brute Force (credential-access)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1204.002 — Malicious File (execution)
T1567.002 — Exfiltration to Cloud Storage (exfiltration)
T1585.001 — Social Media Accounts (resource-development)
T1016.001 — Internet Connection Discovery (discovery)
T1546.003 — Windows Management Instrumentation Event Subscription (privilege-escalation, persistence)
T1069.001 — Local Groups (discovery)
T1018 — Remote System Discovery (discovery)
T1021.001 — Remote Desktop Protocol (lateral-movement)
T1586.002 — Email Accounts (resource-development)
T1110.003 — Password Spraying (credential-access)
T1102.002 — Bidirectional Communication (command-and-control)
T1588.002 — Tool (resource-development)
T1555.003 — Credentials from Web Browsers (credential-access)
T1059.001 — PowerShell (execution)
T1608.001 — Upload Malware (resource-development)
T1589.002 — Email Addresses (reconnaissance)
T1585.002 — Email Accounts (resource-development)
T1033 — System Owner/User Discovery (discovery)
T1105 — Ingress Tool Transfer (command-and-control)
T1049 — System Network Connections Discovery (discovery)
T1057 — Process Discovery (discovery)
T1056.001 — Keylogging (collection, credential-access)
T1518 — Software Discovery (discovery)
T1059.005 — Visual Basic (execution)
T1010 — Application Window Discovery (discovery)
T1591.004 — Identify Roles (reconnaissance)
T1583.002 — DNS Server (resource-development)
T1534 — Internal Spearphishing (lateral-movement)

Total TTPs: 36

Malware & Tools

Malware: DanBot, DnsSystem, Kevin, Milan, Shark

Tools: BITSAdmin, Empire, Mimikatz, Ping, PoshC2, ipconfig, netstat

← Return to Home ← Back to APT Search