### Abstract 

ClearSky discovered a new malware associated with the Iranian SiameseKitten (Lyceum) group with
medium-high confidence.

The file is downloaded from a domain registered on June 6th, and it communicates with a previously
unknown command and control server whose IP address is adjacent to that of the domain. This
indicates an attacker-controlled at least two IP’s on the same range.

The downloaded file is a reverse shell that impersonates an Adobe update. The group has previously
used this method[1]

The reverse shell is dropped by a parent file signed with a fake Microsoft certificate, along with a lure
PDF document and an executable designed to establish persistence.

There seems to be a shared use of fake Microsoft certificates by a variety of Iranian groups, as
Phosphorus was previously observed using the same method[2].

Additionally, the lure PDF document relates to drone attacks conducted in Iran, resembling a similar
document previously employed by SiameseKitten[3].

The attack scenario

1 research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyberespionage

2 deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools

3 MD5 - 13814a190f61b36aff24d6aa1de56fe2 (File name: ir_drones.docm)

____________________________________________________________________________________________________
**[© All rights reserved to ClearSky Cyber Security ltd. 2022                               www.clearskysec.com](http://www.clearskysec.com/)**
**TLP: WHITE - Subject to standard copyright rules, information may be distributed freely, without restriction**

1 | P a g e


-----

### TTPs

Reverse Shell File

The reverse shell file's details are as follows:

File Name: viewPDF[.]exe

File Type: Win32 EXE

MD5: 7b4c70526b499e4d7f3d77a47235a67c

SHA-1: 8dbc4d59ba9f5c9b6b49cc9fbdbf8eef8cbdf972

SHA-256: c41265cdf0425d5023db9b42ad58330c9f0e0d187eab7ce77ca09ccf1b1a9414

The file appears to be an Adobe PDF document, using the company's icon and listing it in its details.
An attempt was made by the attackers to avoid detection by registering the file as created on
29.06.2044

Following is the encrypted information relayed to the C&C server:

____________________________________________________________________________________________________
**[© All rights reserved to ClearSky Cyber Security ltd. 2022                               www.clearskysec.com](http://www.clearskysec.com/)**
**TLP: WHITE - Subject to standard copyright rules, information may be distributed freely, without restriction**

2 | P a g e


-----

After decrypting from base64, the following information is displayed:

____________________________________________________________________________________________________
**[© All rights reserved to ClearSky Cyber Security ltd. 2022                               www.clearskysec.com](http://www.clearskysec.com/)**
**TLP: WHITE - Subject to standard copyright rules, information may be distributed freely, without restriction**

3 | P a g e


-----

It looks like a reverse shell waiting for instructions from the attacker, downloaded after the parent file
is executed.

Parent File

The parent file’s details are the following:

File Name: irdrones1.exe, viewPDF.scr

File Type: Win32 EXE

MD5: 29b6b195cf0671901b75b7d2ac6814f6

SHA-1: 6745f60a8bf6a960d2617e6387f6748e03e13f7a

SHA-256: 8883bbd14017d0946aefd2c6fbc7b2c9b0b6b2439f96125bf4ae1c3d314a03c7

The file was initially submitted on June 6[th], uploaded from the United Arab Emirates. Its creation date
is registered as 25.06.2020, but the certificate shows 08.06.2022 as the signing date. This also aligns
with common detection avoidance methods:

____________________________________________________________________________________________________
**[© All rights reserved to ClearSky Cyber Security ltd. 2022                               www.clearskysec.com](http://www.clearskysec.com/)**
**TLP: WHITE - Subject to standard copyright rules, information may be distributed freely, without restriction**

4 | P a g e


-----

Its serial number cannot be verified, as it does not exist, indicating that it was faked to avoid detection.
Checking URLs related to the file shows that it was downloaded from the following domain:

hxxp[://]planet-informer[.]me/pdf/?id=1026&pid=316

The link is active, and the file is functional at the time of writing this report:

____________________________________________________________________________________________________
**[© All rights reserved to ClearSky Cyber Security ltd. 2022                               www.clearskysec.com](http://www.clearskysec.com/)**
**TLP: WHITE - Subject to standard copyright rules, information may be distributed freely, without restriction**

5 | P a g e


-----

The website’s IP address is 89[.]39[.]149[.]19:

Once the file is downloaded, a C&C server with an adjacent IP address is contacted, 89[.]39[.]149[.]18
using port 6500:

Both addresses belong to the same AS, and the same registry:

As shown in the following screenshots, the PDF File (.pdf) lure document used in this attack
compares to the lure document used during a previously observed attack from March 2022:

____________________________________________________________________________________________________
**[© All rights reserved to ClearSky Cyber Security ltd. 2022                               www.clearskysec.com](http://www.clearskysec.com/)**
**TLP: WHITE - Subject to standard copyright rules, information may be distributed freely, without restriction**

6 | P a g e


-----

Lure document used during the current attack

Lure document from March 2022

The parent file also downloads verbs.exe, an executable designed to establish persistence using the
infected machine’s Startup folder:

Indicators:

Type Value
md5 29b6b195cf0671901b75b7d2ac6814f6
sha1 6745f60a8bf6a960d2617e6387f6748e03e13f7a
sha256 8883bbd14017d0946aefd2c6fbc7b2c9b0b6b2439f96125bf4ae1c3d314a03c7
md5 77d5ef3b26138baabf52fd14a0625298
sha1 ee2e63037f4a7717da62bb0c2c54b1f618d9df42
sha256 50e643e06c1fd6b334668439c1fb734c9d42707f80af2edbcb0e5541513546fe

____________________________________________________________________________________________________
**[© All rights reserved to ClearSky Cyber Security ltd. 2022                               www.clearskysec.com](http://www.clearskysec.com/)**
**TLP: WHITE - Subject to standard copyright rules, information may be distributed freely, without restriction**

7 | P a g e

|Type|Value|
|---|---|
|md5|29b6b195cf0671901b75b7d2ac6814f6|
|sha1|6745f60a8bf6a960d2617e6387f6748e03e13f7a|
|sha256|8883bbd14017d0946aefd2c6fbc7b2c9b0b6b2439f96125bf4ae1c3d314a03c7|
|md5|77d5ef3b26138baabf52fd14a0625298|
|sha1|ee2e63037f4a7717da62bb0c2c54b1f618d9df42|
|sha256|50e643e06c1fd6b334668439c1fb734c9d42707f80af2edbcb0e5541513546fe|


-----

md5 b10a50cb12b82bde90124aad3f48180d
sha1 2bafc1d8f996b0f26cb70beafd00d5a0482c96bb
sha256 6d051c8954c7dab8b82f79779c0c630b95a9b8ad80a49658a55e0dfe6e5aba9f
md5 7b4c70526b499e4d7f3d77a47235a67c
sha1 8dbc4d59ba9f5c9b6b49cc9fbdbf8eef8cbdf972
sha256 c41265cdf0425d5023db9b42ad58330c9f0e0d187eab7ce77ca09ccf1b1a9414
domain planet-informer.me
ip-dst 89.39.149[.]18
ip-dst 89.39.149[.]19

Mitre attack patterns:

Boot or Logon Autostart Execution - T1547

Command-Line Interface - T1059

____________________________________________________________________________________________________
**[© All rights reserved to ClearSky Cyber Security ltd. 2022                               www.clearskysec.com](http://www.clearskysec.com/)**
**TLP: WHITE - Subject to standard copyright rules, information may be distributed freely, without restriction**

8 | P a g e

|md5|b10a50cb12b82bde90124aad3f48180d|
|---|---|
|sha1|2bafc1d8f996b0f26cb70beafd00d5a0482c96bb|
|sha256|6d051c8954c7dab8b82f79779c0c630b95a9b8ad80a49658a55e0dfe6e5aba9f|
|md5|7b4c70526b499e4d7f3d77a47235a67c|
|sha1|8dbc4d59ba9f5c9b6b49cc9fbdbf8eef8cbdf972|
|sha256|c41265cdf0425d5023db9b42ad58330c9f0e0d187eab7ce77ca09ccf1b1a9414|
|domain|planet-informer.me|
|ip-dst|89.39.149[.]18|
|ip-dst|89.39.149[.]19|


-----

# ClearSky Cyber Security Intelligence Report


____________________________________________________________________________________________________
**[© All rights reserved to ClearSky Cyber Security ltd. 2022                               www.clearskysec.com](http://www.clearskysec.com/)**
**TLP: WHITE - Subject to standard copyright rules, information may be distributed freely, without restriction**

9 | P a g e


2022 (C)All rights reserved to ClearSky Security Ltd.

TLP: WHITE - Subject to standard copyright rules, information may be distributed freely, without restriction.


-----