Analyzing Threat Techniques Used By XeGroup

Written by

From Lazarus Gang and LockBit to Conti, REvil and XeGroup, there are many organized cybercrime syndicates carrying out a growing array of diverse, coordinated and sophisticated attacks against organizations of all shapes and sizes. 

The latter of these threat actors has captured headlines in recent years. A hacking group believed to be based in Vietnam that has been active since at least 2013, XeGroup has been associated with various attack techniques, including supply chain attacks that inject credit card skimmers into web pages and creating fake websites to deceive users into revealing their personal information.

A previous report from cybersecurity research enterprise Volexity suggested that XeGroup is associated with other cyber-criminal organizations, including state-sponsored hacking groups. And to date, it is estimated that the hackers have stolen as much as $30m from US-based corporations, largely through compromising websites and mobile applications with malicious code designed specifically to steal payment card information from unsuspecting victims.

However, the group has become known for the range of tactics, techniques and procedures (TTPs) it uses. Here, we deep dive into five.

Exploiting CVE-2019-18935

According to an advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) in March 2023, XeGroup is currently exploiting the CVE-2019-18935 vulnerability to execute arbitrary code remotely on a vulnerable server by exploiting a deserialization vulnerability in the Telerik.Web.UI assembly.

Not only has Menlo Labs observed XeGroup targeting government agencies, construction and healthcare across our customer base with this vulnerability, but CISA also confirmed that the group previously compromised a US government internet-facing server running Internet Information Services (IIS) because of these efforts.

ASPXSPY Web Shells

Alongside CVE-2019-18935, XeGroup has also been shown to use ASPXSPY web shells – malicious scripts built to enable threat actors to secure unauthorized access to web servers and carry out further attacks.

The web shell is a simple web application written in C# and ASP.NET. It provides a user interface to connect to a SQL Server database, execute SQL commands and display the results in a table. 

Notably, inside the scripts used by XeGroup is a hardcoded User-Agent string that is base64 encoded. When decoded, it reads “XeThanh|XeGroups”. The “ismatchagent()” function then checks if the user agent matches this pattern and returns true if the user agent contains either “XeThanh” or “XeGroups”. If the string is not present in the communications, the web shell returns a fake error page.

Credit Card Skimming

This reference to XeGroups and XeGroups[.]com is repeated throughout the threat actor’s infrastructure – as is reference to “XeThanh”, the group’s alternative name. Indeed, in a sample from 2010, we can see early card skimmers used by XeThanh where contact information has been left.

In addition to this, the Menlo Labs team has observed credit card skimming activity across our own customer base where the attackers used a malicious web resource loaded from “object[.]fm”. At the time of analysis, this domain was using the nameserver of “XeGroups[.]com”, further strengthening the connection between the card skimmer activity and the DLL reverse shell.

Injection of Malicious JavaScript into Web Pages 

One of the most prevalent techniques associated with XeGroup from its earlier years of activity is the injection of malicious JavaScript into web pages. The group uses this method to exploit vulnerabilities in Magento e-commerce platforms, Adobe ColdFusion server software, and the Telerik UI component. 

These activities can be traced back to 2013 when XeGroup successfully penetrated point-of-sale systems at retail stores across the globe using their unique malware called “Snipr” – a credential-stuffing toolkit created specifically for this purpose.

Phishing Emails and Spoofed Domains

As well as stealing financial information directly, XeGroup also has a track record for attempting to gain access to corporate networks through the use of phishing emails and spoofed domains impersonating organizations such as PayPal and eBay.

Such activities continued until August 2020, when XeGroup was supposedly taken down after being tracked by Volexity’s researchers, the findings of which were reported to law enforcement agencies in multiple countries, leading to several key group arrests. 

However, with the CISA report and the findings of the Menlo Labs team, it is clear that despite previous efforts to dismantle XEGroup, it remains a continued threat to various sectors, including government agencies, construction organizations and healthcare providers.

What’s hot on Infosecurity Magazine?