Today > 1 Critical | 4 High | 11 Medium | 6 Low vulnerabilities   -   You can now download lists of IOCs here!

From Credit Card Skimming to Exploiting Zero-Days

Feb. 4, 2025, 7:21 a.m.

Description

XE Group, a cybercriminal organization active since 2013, has evolved from credit card skimming to exploiting zero-day vulnerabilities. The group initially focused on web vulnerabilities and supply chain attacks but has now shifted to targeted information theft in manufacturing and distribution sectors. They have demonstrated increased sophistication by exploiting previously undocumented vulnerabilities in VeraCore software, including an SQL injection flaw and an upload validation vulnerability. XE Group maintains long-term access to compromised systems, as evidenced by their reactivation of a webshell planted years earlier. Their recent activities involve exfiltrating config files, network reconnaissance, and deploying a Remote Access Trojan using obfuscated PowerShell commands. The group's evolution highlights their adaptability and growing threat to supply chain security.

Date

Published: Feb. 3, 2025, 8:13 p.m.

Created: Feb. 3, 2025, 8:13 p.m.

Modified: Feb. 4, 2025, 7:21 a.m.

Indicators

c564acd69efa62a5037931090bf70a6506419fdf59ec52f8d1ab0b15d861cc67

ba2109b5a3ccebbc494ee93880b55640539c7d25b85bc12189f0c671ce473771

884c394c7b3eb757ae57050ac2e6a75385a361555e8e4272de1a3cf24746eec7

38b2d52dc471587fb65ef99c64cb3f69470ddfdaa184a256aecb26edeff3553a

322f8cd560d5e10e93af3ea6d3505c8de213f549e6627c3ef4664ed92ba55f56

013ccea1d7fc2aa2d660e900f87a3192f5cb73768710ef2eb9016f81df8e5c70

680b7e8ec8204975c5026bcbaf70f7e9620eacdd7bf72e5476d17266b4a7d316

222.253.102.94

123.20.29.193

171.227.250.249

https://hivnd.com/software/7z.exe

sexadult.com

paycashs.com

object.fm

xework.com

xegroups.com

hivnd.com

Attack Patterns

ASPXTool

ASPXSpy - S0073

Meterpreter

XE Group

T1505.003

T1048

T1135

T1059.001

T1213

T1573

T1574

T1547

T1218

T1082

T1083

T1102

T1046

T1027

T1190

T1090

T1078

CVE-2025-25181

CVE-2024-57968

CVE-2017-9248

CVE-2019-18935

Additional Informations

Distribution

Manufacturing