From Credit Card Skimming to Exploiting Zero-Days
Feb. 4, 2025, 7:21 a.m.
Tags
External References
Description
XE Group, a cybercriminal organization active since 2013, has evolved from credit card skimming to exploiting zero-day vulnerabilities. The group initially focused on web vulnerabilities and supply chain attacks but has now shifted to targeted information theft in manufacturing and distribution sectors. They have demonstrated increased sophistication by exploiting previously undocumented vulnerabilities in VeraCore software, including an SQL injection flaw and an upload validation vulnerability. XE Group maintains long-term access to compromised systems, as evidenced by their reactivation of a webshell planted years earlier. Their recent activities involve exfiltrating config files, network reconnaissance, and deploying a Remote Access Trojan using obfuscated PowerShell commands. The group's evolution highlights their adaptability and growing threat to supply chain security.
Date
Published: Feb. 3, 2025, 8:13 p.m.
Created: Feb. 3, 2025, 8:13 p.m.
Modified: Feb. 4, 2025, 7:21 a.m.
Indicators
c564acd69efa62a5037931090bf70a6506419fdf59ec52f8d1ab0b15d861cc67
ba2109b5a3ccebbc494ee93880b55640539c7d25b85bc12189f0c671ce473771
884c394c7b3eb757ae57050ac2e6a75385a361555e8e4272de1a3cf24746eec7
38b2d52dc471587fb65ef99c64cb3f69470ddfdaa184a256aecb26edeff3553a
322f8cd560d5e10e93af3ea6d3505c8de213f549e6627c3ef4664ed92ba55f56
013ccea1d7fc2aa2d660e900f87a3192f5cb73768710ef2eb9016f81df8e5c70
680b7e8ec8204975c5026bcbaf70f7e9620eacdd7bf72e5476d17266b4a7d316
222.253.102.94
123.20.29.193
171.227.250.249
https://hivnd.com/software/7z.exe
sexadult.com
paycashs.com
object.fm
xework.com
xegroups.com
hivnd.com
Attack Patterns
ASPXTool
ASPXSpy - S0073
Meterpreter
XE Group
T1505.003
T1048
T1135
T1059.001
T1213
T1573
T1574
T1547
T1218
T1082
T1083
T1102
T1046
T1027
T1190
T1090
T1078
CVE-2025-25181
CVE-2024-57968
CVE-2017-9248
CVE-2019-18935
Additional Informations
Distribution
Manufacturing