From Credit Card Skimming to Exploiting Zero-Days
Feb. 4, 2025, 7:21 a.m.
Description
XE Group, a cybercriminal organization active since 2013, has evolved from credit card skimming to exploiting zero-day vulnerabilities. The group initially focused on web vulnerabilities and supply chain attacks but has now shifted to targeted information theft in manufacturing and distribution sectors. They have demonstrated increased sophistication by exploiting previously undocumented vulnerabilities in VeraCore software, including an SQL injection flaw and an upload validation vulnerability. XE Group maintains long-term access to compromised systems, as evidenced by their reactivation of a webshell planted years earlier. Their recent activities involve exfiltrating config files, network reconnaissance, and deploying a Remote Access Trojan using obfuscated PowerShell commands. The group's evolution highlights their adaptability and growing threat to supply chain security.
Tags
Date
- Created: Feb. 3, 2025, 8:13 p.m.
- Published: Feb. 3, 2025, 8:13 p.m.
- Modified: Feb. 4, 2025, 7:21 a.m.
Indicators
- c564acd69efa62a5037931090bf70a6506419fdf59ec52f8d1ab0b15d861cc67
- ba2109b5a3ccebbc494ee93880b55640539c7d25b85bc12189f0c671ce473771
- 884c394c7b3eb757ae57050ac2e6a75385a361555e8e4272de1a3cf24746eec7
- 38b2d52dc471587fb65ef99c64cb3f69470ddfdaa184a256aecb26edeff3553a
- 322f8cd560d5e10e93af3ea6d3505c8de213f549e6627c3ef4664ed92ba55f56
- 013ccea1d7fc2aa2d660e900f87a3192f5cb73768710ef2eb9016f81df8e5c70
- 680b7e8ec8204975c5026bcbaf70f7e9620eacdd7bf72e5476d17266b4a7d316
- 222.253.102.94
- 123.20.29.193
- 171.227.250.249
- https://hivnd.com/software/7z.exe
- sexadult.com
- paycashs.com
- object.fm
- xework.com
- xegroups.com
- hivnd.com
Attack Patterns
- ASPXTool
- ASPXSpy - S0073
- Meterpreter
- XE Group
- T1505.003
- T1048
- T1135
- T1059.001
- T1213
- T1573
- T1574
- T1547
- T1218
- T1082
- T1083
- T1102
- T1046
- T1027
- T1190
- T1090
- T1078
Additional Informations
- Distribution
- Manufacturing