NEUIGKEITEN:
Menlo Security kündigt strategische Partnerschaft mit Google an
Icon Rounded Closed - BRIX Templates

Not your average Joe: An analysis of the XeGroup’s attack techniques

Menlo Labs
|
May 30, 2023

Disclaimer: Menlo Labs has informed the appropriate law enforcement agencies on the intelligence presented in this report.

Executive Summary

XeGroup is a hacking group that has been active since at least 2013. The group is believed to have been involved in various cybercriminal activities. This threat actor uses many different attack techniques including:

  • Supply chain attacks similar to Magecart, that inject credit card skimmers into web pages.
  • Creating fake websites to deceive users into revealing their personal information.
  • Selling stolen data on the dark web.

We assess this group to be a low to medium level threat, going after victims of opportunity.

Intel

XeGroup's tactics, techniques, and procedures (TTPs) have been detailed in a report by Volexity, which suggests that the group may be associated with other cybercriminal organizations and may have links to state-sponsored hacking groups. Previously, they have stolen over $30 million from US-based corporations and compromised multiple websites and mobile applications with malicious code that is designed to steal payment card data from unsuspecting customers.

Recently, CISA has issued a follow-up advisory (AA21-209A) stating that XeGroup actors are still actively exploiting this vulnerability (CVE-2019-18935), and have successfully compromised a US government Internet-facing server running Internet Information Services (IIS). The vulnerability, tracked as CVE-2019-18935, allows an attacker to execute arbitrary code remotely on a vulnerable server by exploiting a deserialization vulnerability in the Telerik.Web.UI assembly. Menlo Labs has observed XeGroups targeting government agencies, construction organizations, healthcare across our customer base.

XeGroup is highly likely to be based in Vietnam and operates under the names "XeThanh" and/or "XeGroup". XeGroup is associated with ASPXSPY web shells, and its infrastructure contains the "XeGroup" naming convention. Multiple domains, including one used for XeGroup’s operations, were registered with the email address xecloud@icloud.com and xemembers@icloud.com. Web shells are scripts that are intentionally designed to be malicious, allowing threat actors to gain unauthorized access to web servers and carry out further attacks. Later in this write up, we will discuss ASPXSPY web shells used by this group, the connection to Xe Groups and how it helped lead us to the nearly full attribution of this group.

Infection Chain

One of the prevalent techniques of this group included the injection of malicious JavaScript into web pages, by exploiting vulnerabilities in Magento e-commerce platforms and Adobe ColdFusion server software, in addition to the Telerik UI component. The group’s activities were first identified in 2013 when they successfully penetrated point-of-sale systems at retail stores around the world through their malware called “Snipr'' (Credential-Stuffing toolkit) which was created specifically for this purpose.

In addition to stealing financial information directly, XeGroup also attempted to gain access to corporate networks via phishing emails sent out using spoofed domains associated with legitimate companies such as PayPal and eBay. This activity continued until August 2020 when XeGroup was supposedly taken down after being tracked by Volexity’s researchers who reported their findings to law enforcement agencies worldwide resulting in multiple arrests across several countries involved with these activities.

However, it now appears that XeGroup is back and active. CISA reports the group is actively exploiting CVE-2019-18935 and possibly has been since August 2021.

Leaving crumbs in the code

The Menlo Labs threat intel team examined samples from various reports including CISA, Volexity, and our own telemetry to find similarities or any associations to assist in threat actor attribution and analysis.

We started by looking at the EXE used post exploitation. XeGroup uploads masqueraded EXE files as PNG files to avoid detection. These EXE files create a aspx file in C:\Windows\Temp and execute it thereby creating a reverse shell that communicates with XeGroups[.]com as shown in the figure1 below:

Fig 1 - EXE analysis. Click for full-size image

XeGroup also uses ASPXSPY web shells in some of their attacks. The web shell is a simple web application written in C# and ASP.NET. It provides a user interface to connect to a SQL Server database, execute SQL commands, and display the results in a table. Notably inside those scripts is a hardcoded User-Agent string. The hardcoded User-Agent string is base64 encoded, when decoded it reads “XeThanh|XeGroups”. The "ismatchagent()" function checks if the user agent matches this pattern, and it will return true if the user agent contains either “XeThanh” or “XeGroups”. If the string is not present in the communications, the web shell returns a fake error page.

Fig 2 - Base64 encoded string

The reference to XeGroups and XeGroups[.]com is repeated through the threat actor code infrastructure and so is the reference to “XeThanh''. In fact, in a sample from 2010 we see XeThanh’s earlier card skimmers where he left contact information.

The skim and the shell

Menlo Labs also observed credit card skimming activity across our customer base where the attackers used a malicious web resource loaded from "object[.]fm". At the time of analysis, this domain was using the nameserver of "XeGroups[.]com". This strengthened the connection between the card skimmer activity and the DLL reverse shell.

We analyzed recent samples of the credit card skimmers used by this group and we noticed that there were minor differences in the evolution of the code but the overall functionality stayed the same. The screenshot below shows the differences observed between the latest code sample that we analyzed vs the samples provided by Volexity and MalwareBytes:

Fig 3 - Credit card skimmer. Click for full-size image

With all of the analysis done above, we were able to retroactively look and find samples from this group. As far back as 2014, the threat actor was seen creating autoIT scripts that automatically generated emails and a rudimentary credit card validator for stolen credit cards. The screenshots below show the threat actor name associated with the scripts created:

Fig 4 - Old XEGroup malware

Analyzing threat actor network infrastructure

Examining the whois history for these sites, yielded email addresses and other identifying information that we then used for attribution.

Fig 5 - Whois records

We started with the ns1.xegroups[.]com and ns2.xegroups[.]com that are associated with joynnguyen@msn[.]com. Scouring through tons of data, we found many instances of the name Joe Nguyen and string "XeThanh" found together all over the Internet. Below is an example of a GitHub code repository where we found this association.

Fig 6 - XeGroup GitHub

Now we will look at the historical record of object[.]fm that was mentioned above in the technical analysis. Five months ago when we inspected the code for the site we noticed a “page title” and a “tag” in the page header referencing “XeThanh”.

Fig 7 - HTML showing XeThanh relationship. Click for full-size image
Fig 8 - Page title search for XeThanh

Using the username XeThanh and the Icon/Font seen there, we use an OSINT tool and find the actor's Instagram and Friend Finder account, which are both using the same profile picture as well.

Fig 9 - Instagram of TA
Fig 10 - Friend Finder for TA

We also observed the same icon from GitHub and name Joe Nguyen on Crowdin, which is a cloud-based localization technology and services company. However, we noticed one small change, the alias XePhanmem instead of XeThanh as seen in the screenshot below.

Fig 11 - TA's Crowdin profile

OSINT TO THE RESCUE

Armed with this information, we diligently began utilizing OSINT tools to maximize data collection, leading to the discovery of additional valuable information. We were also able to identify a unique IP address and password.

In OSINT records for the email joynnguyen@msn[.]com (which was used to register the xegroups[.]com name server) we saw an IP address and a very unique password. We found new email addresses using this exact unique password and following the naming convention this allowed us to pivot further.

  1. Thanh Nguyen (xephanmem@gmail[.]com)
  2. Shares password with joynnguyen@msn[.]co
  3. Uses name”xephanmem” which was used on Crowdin
  4. There is a Google Play Games account using this email
    1. details for "XePhanMem" are as follows:
      1. Player ID: g02444030915105485496
      2. Avatar:
  5. Joe Nguyen (joyn.nguyen@gmail[.]com) is connected to the registrant organization "Xe Group Inc" and the email address dns@xethanh[.]net, both linked to the malicious infrastructure and share the passwords with xegroups@gmail[.]com
  6. The Vietnamese address “28 (redacted)” is associated with multiple accounts using the email xethanh@gmail[.]com and the name Nguyen Huu Tai (that email is also using the name “Hacker Vietnam” according to other OSINT tools). Other accounts are associated with similar addresses, but the majority share the same address (and same phone number)



    Fig 12 - Leaked records associated to TA
  7. The email addresses xecloud@icloud.com, xethanh@gmail[.]com, joyn.nguyen@hotmail.com, and joyn.nguyen@gmail[.]com are all associated with Nguyen Huu Tai according to leaked data.
    1. The email addresses xethanh@gmail[.]com and xephanmem@gmail[.]com are connected to the same IP addresses 168.122.67.64 and 203.162.3.169.
  8. The username xeodin10 is associated with Nguyen Huu Tai and the email address xethanh@gmail[.]com, which is also connected to the Xe Group.
  9. The email address xxx.corp@gmail[.]com is linked to the IP address 203.162.3.169, which is also associated with xethanh@gmail[.]com, an email address already connected to the Xe Group.
    1. The username xethanh is associated with xxx.corp@gmail[.]com, further strengthening the potential link between xxx.corp@gmail[.]com and the group.
  10. The email address xethanh appears in the leaked database with the password of xxx.corp@gmail[.]com, suggesting a potential overlap or sharing of credentials between these two email addresses as well.
    1. Xxx.corp@gmail[.]com is a google account with showing the name: Nguyen Van Phuc with a profile pic https://lh3.googleusercontent.com/a-/ACB-R5TcNMDqEgfikTpkABwmpDfuFH0Ck1SSIpmbHfQn0Q
      1. Also is using the email on Google Play Games
        1. Username : PineWunderkind22829
        2. Player ID : g18181617716882415267
        3. Avatar : https://play-lh.googleusercontent.com/kFNyY-tHFLJsDMYSbK0bqPLXSePk5ExR2jdCCQXpzF8egcgyfce3MAAvksiKyfjtIVur

Based on the provided data, Nguyen Huu Tai, who also goes by the names Joe Nguyen and Thanh Nguyen, has the strongest likelihood of being involved with the XeGroup. Furthermore, the email address xxx.corp@gmail.com is highly likely to be associated with the group, but more concrete evidence would be needed to confirm this connection definitively.

Conclusion

XeGroup, a low to medium threat level hacking group with a history of cybercriminal activities, has resurfaced and is actively exploiting the CVE-2019-18935 vulnerability. Despite previous efforts to dismantle the group, XEGroup remains a continued threat to various sectors, including government agencies, construction organizations, and healthcare providers.

IOC

  • Compromise website
  • hxxps[://]www.emergencylighting[.]com/
  • hxxps[://]www.meiersupply[.]com/
  • hxxps[://]www.onehundred80degrees[.]com/
  • Testing binary by xethanh
  • dfab1097f7d345cad468a5e94d03e41701c602898bb9685457f327db3158dfc7
  • 2010 sample
  • 5395ef75d7a6325306f186ec636edc65191e82fd6ca705c58e4355c9498bca4a
  • 2014 sample
  • 02c48917b15015ddd02738bc1f480f9c6379165618435855030f4c63ce372485
  • ASPXSPY Hashes
  • Ba2109b5a3ccebbc494ee93880b55640539c7d25b85bc12189f0c671ce473771
  • 884c394c7b3eb757ae57050ac2e6a75385a361555e8e4272de1a3cf24746eec7
  • Testing network infrastructure
  • repo.hyperstruct[.]net/mozrepl/1.0/mozrepl.xpi
  • Threat Actor Infrastructure
  • 184.168.104.171
  • Skimmer Infrastructure
  • hivnd[.]com
  • xegroups[.]com
  • Xework[.]com
  • Object[.]fm
  • paycashs[.]com
  • xeadult[.]com

For additional IOCs please visit volexity and CISA.

Disclaimer: Menlo Labs has informed the appropriate law enforcement agencies on the intelligence presented in this report.

linkedin logotwitter/x logofacebook logoSocial share icon via eMail