XHunt cybercriminal band attacked Gulf shipping companies

Researchers from the Unit 42 team at Palo Alto Networks discovered a malicious xHunt campaign that attacked transport and shipping organizations operating outside in the Persian Gulf outside of Kuwait. As part of the cyberattacks, the criminals used Trojan malware.

The group was called xHunt, as the developers of malicious tools used the names of characters from the anime series Hunter x Hunter.

The arsenal of criminals includes backdoors Sakabota, Hisoka, Netero and Killua. They use not only the HTTP protocol to communicate with the C & C server, but also email and DNS tunneling. The latter method uses the Microsoft Exchange Web service (EWS) and the stolen credentials to create “draft” emails for communication between the criminal and the malware.

“While DNS tunneling as a C2 channel is fairly common, the specific method in which this group used email to facilitate C2 communications has not been observed by Unit 42 in quite some time. This method uses Exchange Web Services (EWS) and stolen credentials to create email “drafts” to communicate between the actor and the tool. In addition to the aforementioned backdoor tools, we also observed tools referred to as Gon and EYE, which provide the backdoor access and the ability to carry out post-exploitation activities”, — reported researchers from Unit 42.

For the first time, xHunt activity was recorded in May of this year, when a malicious binary file was installed on the network of one of the victims in Kuwait.

It is not established exactly how the cybercriminals compromised the computers, but they managed to install the Hisoka backdoor (version 0.8), which provided the download for additional malware.

Read also: Criminals buy security certificates pretending to be company directors

One of these malware is called Gon and it allows scanning open ports on remote systems, uploading and downloading files, taking screenshots, finding other systems on the network, executing commands, and creating your own Remote Desktop Protocol (RDP) function.

During a malware analysis, researchers found similarities in code with the Sakabota malware tool. Experts suggest that Sakabota is the predecessor of Hisoka, developed by the same author. The Gon backdoor also contains the code used in Sakabota, pointing to a common author.