News

XHunt cybercriminal band attacked Gulf shipping companies

Researchers from the Unit 42 team at Palo Alto Networks discovered a malicious xHunt campaign that attacked transport and shipping organizations operating outside in the Persian Gulf outside of Kuwait. As part of the cyberattacks, the criminals used Trojan malware.

The group was called xHunt, as the developers of malicious tools used the names of characters from the anime series Hunter x Hunter.

The arsenal of criminals includes backdoors Sakabota, Hisoka, Netero and Killua. They use not only the HTTP protocol to communicate with the C & C server, but also email and DNS tunneling. The latter method uses the Microsoft Exchange Web service (EWS) and the stolen credentials to create “draft” emails for communication between the criminal and the malware.

“While DNS tunneling as a C2 channel is fairly common, the specific method in which this group used email to facilitate C2 communications has not been observed by Unit 42 in quite some time. This method uses Exchange Web Services (EWS) and stolen credentials to create email “drafts” to communicate between the actor and the tool. In addition to the aforementioned backdoor tools, we also observed tools referred to as Gon and EYE, which provide the backdoor access and the ability to carry out post-exploitation activities”, — reported researchers from Unit 42.

For the first time, xHunt activity was recorded in May of this year, when a malicious binary file was installed on the network of one of the victims in Kuwait.

It is not established exactly how the cybercriminals compromised the computers, but they managed to install the Hisoka backdoor (version 0.8), which provided the download for additional malware.

Read also: Criminals buy security certificates pretending to be company directors

One of these malware is called Gon and it allows scanning open ports on remote systems, uploading and downloading files, taking screenshots, finding other systems on the network, executing commands, and creating your own Remote Desktop Protocol (RDP) function.

During a malware analysis, researchers found similarities in code with the Sakabota malware tool. Experts suggest that Sakabota is the predecessor of Hisoka, developed by the same author. The Gon backdoor also contains the code used in Sakabota, pointing to a common author.

Attack-related compromise indicators were published in the Unit 42 repository on GitHub.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Remove News-bpudepi.today pop-up ads (Virus Removal Guide)

News-bpudepi.today is a domain that tries to trick you into subscribing to its browser notifications…

1 day ago

Remove Doguhtam.xyz pop-up ads (Virus Removal Guide)

Doguhtam.xyz is a site that tries to trick you into subscribing to its browser notifications…

1 day ago

Remove News-xlixoti pop-up ads (Virus Removal Guide)

News-xlixoti.com is a site that tries to force you into subscribing to its browser notifications…

1 day ago

Remove Ducesousightion pop-up ads (Virus Removal Guide)

Ducesousightion.com is a domain that tries to trick you into clik to its browser notifications…

1 day ago

Remove News-xlabica.live pop-up ads (Virus Removal Guide)

News-xlabica.live is a domain that tries to trick you into clik to its browser notifications…

1 day ago

Remove Mergechain.co.in pop-up ads (Virus Removal Guide)

Mergechain.co.in is a site that tries to trick you into subscribing to its browser notifications…

1 day ago