Analyzing Four Diverse Attack Techniques Used by XeGroup
By Brett Raybould – EMEA Solutions Architect, Menlo Security
XeGroup is a prime example of the untold damage that sophisticated threat groups using modern attack techniques can now inflict on organizations.
Known to be active since at least 2013, the Vietnamese cybercriminal outfit, which has been linked to other cybercriminal organizations and state-sponsored hacking groups, has previously stolen more than $30 million from US-based corporations.
However, the techniques that the group leverages to attack its victims are by no means linear, nor predictable.
Over the past decade, XeGroup has been named responsible for a broad range of nefarious campaigns that have included supply chain attacks, the creation of fake websites to deceive users into revealing their personal information, compromised websites and mobile applications with malicious code, and the selling of stolen data on the dark web.
In this article, we will ll explore four diverse attack methods that the group have leveraged since their inception.
#1 – Malicious JavaScript webpage injection
One technique that XeGroup has become renowned for attacks that involve the injection of malicious JavaScript into web pages, with its adversaries successful in exploiting vulnerabilities in Magento e-commerce platforms and Adobe ColdFusion server software.
These activities were first identified back in 2013 when point-of-sale (PoS) systems at retail stores around the world were successfully penetrated with the “Snipr” malware – a credential-stuffing toolkit specifically created for this purpose.
Here, XeGroup stole financial detail directly while also attempting to gain access to corporate networks via phishing emails sent out using spoofed domains associated with legitimate companies such as PayPal and eBay.
This campaign continued all the way through to August 2020 when the attack group was taken down after researchers from security firm, Volexity, released findings about the group to law enforcement agencies globally, ultimately resulting in multiple arrests of group members.
# 2 – Exploiting CVE-2019-18935
Despite this, recent reports from the Cybersecurity and Infrastructure Security Agency (CISA) have suggested that XeGroup is back and actively exploiting CVE-2019-18935.
Specifically, this vulnerability can be used by threat actors to execute arbitrary code remotely on a vulnerable server by exploiting a deserialization vulnerability in the Telerik.Web.UI assembly.
It is estimated that this latest campaign has been underway since August 2021, with CISA having issued an advisory that suggests the group have successfully compromised a US government Internet-facing server running Internet Information Services (IIS).
On examining samples from various reports from CISA, Volexity, and our own telemetry on this, the Menlo Labs team has observed XeGroup’s targeting government agencies, construction organizations, and healthcare entities across our customer base.
#3 – ASPXSPY web shells
ASPXSPY web shells are also prevalent in XeGroup’s attacks.
These are scripts that have been specifically designed to enable threat actors to secure unauthorized access to web servers and carry out further attacks. A simple web application written in C# and ASP.NET., ASPXSPY web shells provide a user interface to connect to a SQL Server database, execute SQL commands, and display the results in a table.
Interestingly, the Menlo Labs team report that a hardcoded User-Agent string is inside those scripts that, when decoded, reads “XeThanh|XeGroups”. The “ismatchagent()” function checks if the user agent matches this pattern, and it will return true if the user agent contains either “XeThanh” or “XeGroups”. If the string is not present in the communications, the web shell returns a fake error page.
#4 – Credit card skimming
Primarily, these web shells have been used to conduct credit card skimming activity – something the Menlo Labs team has observed across our customer base.
The reference to XeGroups is repeated throughout the threat actor code infrastructure, as is reference to “XeThanh”. In fact, in a 2010 sample, we see user XeThanh’s earlier card skimmers where contact information was left.
We analyzed several samples of the credit card skimmers used by this group and noticed that there were minor differences in the evolution of the code, but the overall functionality stayed the same. Through this analysis, however, we were able to retroactively look and find other samples from this group.
Indeed, as far back as 2014, the threat actor was seen creating autoIT scripts that automatically generated emails and a rudimentary credit card validator for stolen credit cards.
Combatting diverse attack methods
In examining the WHOIS history of the threat actor’s sites, the Menlo Labs team was able to uncover email addresses and other identifying information that could be used for attribution. Scouring through mounds of data, we uncovered many instances of the name Joe Nguyen together with the string “XeThanh” across the Internet.
Armed with this information, we diligently began utilizing OSINT tools to maximize data collection, leading to the discovery of additional information. Indeed, we found that Nguyen Huu Tai, who also goes by the names Joe Nguyen and Thanh Nguyen, has the strongest likelihood of being involved with the XeGroup, while the email address xxx.corp@gmail.com is also highly likely to be associated with the group.
XeGroup ultimately remains a low to medium threat level hacking group. However, the fact that it continues to threaten a variety of sectors with a variety of techniques despite significant efforts to dismantle the group is concerning.
Indeed, the group’s use of a combination of increasingly sophisticated attack methods again highlights the importance of organizations advancing their security setups, moving away from an overreliance on outdated detect and remediate solutions and towards technologies capable of stopping 100 percent of attacks in their tracks.
About the Author
Brett Raybould – EMEA Solutions Architect, Menlo Security. Brett is passionate about security and providing solutions to organisations looking to protect their most critical assets. Having worked for over 15 years for various tier 1 vendors who specialise in detection of inbound threats across web and email as well as data loss prevention, Brett joined Menlo Security in 2016 and discovered how isolation provides a new approach to solving the problems that detection-based systems continue to struggle with.