xHunt Campaign Leverages New Tools Against Shipping FirmsResearchers: Malware Used in Attacks Against Kuwaiti Transportation, Shipping Companies
A hacking group is using new backdoor tools in a campaign targeting shipping and transportation companies in Kuwait, according to a report by researchers with Unit 42, Palo Alto Networks' threat intelligence division.
The xHunt campaign was first detected in May. Through comparative analysis work on the tools being used, the Unit 42 researchers were able to link xHunt to other malicious activity in the region between July and December 2018.
It's not clear, however, what group is behind this malicious activity. The backdoors enable the attackers to monitor what is done on the compromised system and allows them to steal files and other data, according to the report.
The malicious tools used in the xHunt campaign - Hisoka, Sakabota, Netero and Killua - are all names of characters in the anime series "Hunter x Hunter," which formed the researchers' thinking when naming the campaign.
How the Tools Work
The campaign was first observed when Unit 42 researchers detected malicious code installed on a system of an unnamed transportation and shipping company operating in Kuwait. The malware was a variant of the Hisoka backdoor; it was tagged as Version 0.8. Two hours after leveraging Hisoka to gain access to the system, the attackers launched two other malicious tools - Gon and EYE, the researchers report.
The bad actors behind the attack used Gon for a number of tasks, including to search for open ports on remote systems, find other systems on the network, upload and down files, grab screenshots, run commands and create a Remote Desktop Protocol session, according to the researchers.
The cybercriminals used EYE to protect themselves by killing all processes they had created and removing anything that could identify the attackers if a legitimate user logs in while the threat actors are logged into the system through the RDP, the report says.
More Attacks Found
Unit 42 researchers used the data they analyzed from that attack to identify another campaign in June that also targeted a Kuwaiti transportation organization. Between June 18 and 30, the threat actors installed the Hisoka backdoor - Version 0.9 - that contained another filename. Researchers on June 18 saw the file being transferred to another system on the network by the Server Message Block protocol from an internal IT service desk account, and a short time later another file - named "Killua" - was transferred the same way.
Killua "is a simple backdoor that allows an actor to issue commands from a [command-and-control] server to run on the infected system by communicating back and forth using DNS tunneling," the report says. "Based on string comparisons, we believe with high confidence that the same developer created both the Killua and Hisoka tools."
Killua appears to have evolved from Hisoka. On June 30, the researchers saw related activity, although the bad actors used a third-party help desk service to copy the files to another system on the network, beginning with the transfer of another Hisoka v0.9 file and followed soon after by two different Killua files within 30 minutes of each other.
Both versions of Hisoka enable attackers to control an infected system and communicate to a command-and-control channel using either HTTP or DNS tunneling. The 0.9 version, however, also included the ability to use an email-based channel. The email command-and-control capabilities uses Exchange Web Services, creating a legitimate account on an Exchange server and enable the cybercriminals to communicate with Hisoka. The report says that "the malware attempts to log into an Exchange server using supplied credentials and uses EWS to send and receive emails in order to establish communications between the target and the actor."
Unlike previous emailed-based command-and-control channels that have been detected in other campaigns, this channel creates emails drafts to enable the Hisoka tool and bad actor to exchange data. Using email drafts and the same legitimate Exchange account to communicate means there are not incoming or outgoing emails that can be detected.
"One of the goals of any attack campaign is to remain undetected for as long as possible," Brittany Ash, a Unit 42 threat intelligence analyst, tells Information Security Media Group. "Using a [command-and-control] communications method and/or tools that have not yet been broadly observed can help achieve this goal. Custom tooling may also indicate that the operators may have access to their own development team."
Links with Sakabota
The researchers were able to link Hisoka with another tool, named Sakabota, which was first seen around July 2018. They analyzed dozens of samples to find two separate campaigns - one in mid- to late 2018 using Sakabota and the other this year using Hisoka - and determined Sakabota was the predecessor of Hisoka and the foundation for all of the tools used in these campaigns.
"Identifying the overlap between Hisoka and Sakabota leads us to a few possible conclusions: These are the same actors; the developer of Hisoka had access to the codebase of Sakabota; or this malware was developed by the same person or set of individuals," Ash says. "In any case, there is a relationship with the Sakabota-related activity."
There also are possible links between Sakabota and Hisoka and other attacks, OilRig campaigns and DNS hijacking infrastructure, according to the report. "The infrastructure overlaps involve shared domain resolutions, but the timing of many of these resolutions are far enough apart to indicate a potential change in actors using the infrastructure," the report says, adding that the IBM’s X-Force IRIS unit also noted the overlap.
OilRig started its campaign in the Middle East but expanded globally, stealing 13,000 credentials over three years, according to security researchers. The advanced persistent threat group, which some U.S. government agencies link to Iran, continued its activities even after the doxing of its targets and tools in March.