Dec 8, 2021
77 Views
0 0

XE Group exposed for eight years of hacking, credit card theft

Written by

Grafana fixes zero-day vulnerability after exploits spread over Twitter
Google disrupts massive Glupteba botnet, sues Russian operators
Emotet now drops Cobalt Strike, fast forwards ransomware attacks
New Cerber ransomware targets Confluence and GitLab servers
XE Group exposed for eight years of hacking, credit card theft
Tor’s main site blocked in Russia as censorship widens
SonicWall ‘strongly urges’ customers to patch critical SMA 100 bugs
This ethical hacking bundle offers 161 hours of learning for just $39
Qualys BrowserCheck
STOPDecrypter
AuroraDecrypter
FilesLockerDecrypter
AdwCleaner
ComboFix
RKill
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Toksearches.xyz Search Redirect
Remove the Smashapps.net Search Redirect
Remove the Smashappsearch.com Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
eLearning
IT Certification Courses
Gear + Gadgets
Security
Credit card theft
A relatively unknown group of Vietnamese hackers calling themselves ‘XE Group’ has been linked to eight years of for-profit hacking and credit card skimming.
The threat actors are thought to be responsible for the theft of thousands of credit cards per day, mainly from restaurants, non-profit, art, and travel platforms.
The actors use publicly available exploits to compromise externally-facing services, prominently Telerik UI flaws, to install credential and payment info stealing malware.
A 2020 Malwarebytes report first outlined the group’s activities, but a more in-depth analysis of recent compromises attributed to it was published by Volexity yesterday.
Volexity was able to map the infrastructure used by the XE Group in the last three years and shared all the technical details and IOCs on GitHub.
The researchers could find many infected sites carrying the same skimmer thanks to a common technique in loading malicious JavaScript snippets.
“The code used to load the malicious JavaScript from this page reveals that the attacker uses an interesting technique: the JavaScript keyword “object” is used to populate the domain value,” the researchers shared in the Volexity report.
These types of breaches are categorized as “Magecart” attacks, which is when a threat actor hacks an eCommerce site to add malicious JavaScript that collects customer and payment information as it is submitted. This stolen information is then uploaded to a remote server to be collected by the attackers.
The long-term success of these attacks depends on how well they can remain hidden on a website without being detected by security products.
Uploading the sample of this skimmer to VirusTotal returns a perfect 0/57 detection score, meaning this group’s JavaScript is very stealthy against AV detection.
Compared to the 2020 version analyzed by Malwarebytes, the new report found the following differences:
All in all, the latest skimmer features subtle improvements over last year’s samples and continues to effectively snatch any form of data that victims enter onto pages that load the malicious JavaScript.
An example of the data that is stolen using this from these websites is:
Volexity attributes the XE Group’s activity to Vietnamese threat actors as several of the domain names used for command and control servers are registered to a person in Vietnam.
While domain registration information can be faked, the researchers linked the registrant, Joe Nguyen, to a GitHub repository using the XE avatar created by someone of the same name.
Additionally, the nickname “xethanh” associated with the GitHub repository also had an account on the crdclub[.]su forum where they offered stolen credit card information.
The researchers found similar accounts on other carding forums such as cybercarders[.]su and cardingforum[.]co, so the actor prefers selling the card instead of using them.
“The persona used for the GitHub and carding account, and several of the domains, have a history going back to 2013, which suggests the attacker may have been attempting similar attacks for up to eight years, with only one significant public mention of their activity,” explained Volexity
Finally, some of the malware files discovered in VirusTotal appear to have been uploaded by Vietnamese users. Threat actors commonly use VirusTotal before launching campaigns to test how well antivirus software can detect their malware.
Defenders can block XE Group attacks using the provided network indicators or detect the threat using these signatures.
New malware hides as legit nginx process on e-commerce servers
New Linux malware hides in cron jobs with invalid dates
UK govt warns thousands of SMBs their online stores were hacked
Hackers deploy Linux malware, web skimmer on e-commerce servers
Costco discloses data breach after finding credit card skimmer
Not a member yet? Register Now
Hundreds of SPAR stores shut down, switch to cash after cyberattack
Russian hacking group uses new stealthy Ceeloader malware
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.

source

Article Categories:
Cybersecurity News

Comments are closed.