XeGroup, a Vietnamese cybercriminal organization, has been causing significant damage to organizations since at least 2013. This sophisticated threat group has been linked to other cybercriminal organizations and state-sponsored hacking groups, and has stolen over $30 million from US-based corporations in the past. XeGroup employs a variety of attack techniques, making their methods unpredictable and difficult to defend against.
One of XeGroup’s well-known attack methods involves injecting malicious JavaScript into web pages. They have successfully exploited vulnerabilities in Magento e-commerce platforms and Adobe ColdFusion server software. In 2013, they used the “Snipr” malware to penetrate point-of-sale (PoS) systems at retail stores worldwide. This allowed them to steal financial information and attempt to gain access to corporate networks through phishing emails sent from spoofed domains of legitimate companies like PayPal and eBay. This campaign lasted until August 2020 when the group was taken down after the release of findings by security firm Volexity.
Despite their setback in 2020, XeGroup has reemerged and is actively exploiting a vulnerability known as CVE-2019-18935. This vulnerability allows threat actors to execute arbitrary code remotely on a vulnerable server by exploiting a deserialization vulnerability in the Telerik.Web.UI assembly. The Cybersecurity and Infrastructure Security Agency (CISA) has reported that XeGroup has successfully compromised a US government Internet-facing server running Internet Information Services (IIS). XeGroup is now targeting government agencies, construction organizations, and healthcare entities.
Another attack method employed by XeGroup is the use of ASPXSPY web shells. These scripts are designed to grant unauthorized access to web servers and enable further attacks. The Menlo Labs team has discovered that these scripts contain a hardcoded User-Agent string that references “XeThanh|XeGroups”. If the user agent matches this pattern, the web shell allows access. Otherwise, it returns a fake error page.
XeGroup has primarily used web shells for credit card skimming activity. The Menlo Labs team has observed instances of XeGroups and XeThanh being referenced in the threat actor’s code infrastructure. In 2014, XeGroup created autoIT scripts for generating emails and a basic credit card validator for stolen credit cards.
To combat XeGroup’s diverse attack methods, the Menlo Labs team has engaged in extensive research and analysis. They have uncovered email addresses and identifying information that could be used for attribution. They have identified Joe Nguyen and the email address xxx.corp@gmail.com as likely being associated with XeGroup. However, XeGroup remains a low to medium threat level hacking group, and their ability to continue threatening various sectors despite efforts to dismantle them is concerning.
The persistence and evolving tactics of XeGroup highlight the importance for organizations to enhance their security setups. Relying on outdated detect and remediate solutions is no longer sufficient. It is crucial for organizations to adopt technologies capable of stopping 100 percent of attacks. By doing so, they can effectively defend against sophisticated threat groups like XeGroup.
Brett Raybould, an EMEA Solutions Architect at Menlo Security, is passionate about security and providing solutions to organizations seeking to protect their critical assets. With over 15 years of experience in detecting inbound threats across web and email, as well as data loss prevention, Raybould joined Menlo Security in 2016. He emphasizes the importance of isolation as a new approach to solving the problems that detection-based systems often struggle with.