The ‘XE Group,’ a relatively obscure gang of Vietnamese hackers, has been tied to commercial hacking and credit card skimming for eight years. Threat actors are suspected of stealing thousands of credit cards each day, mostly from restaurants, non-profit organizations, art galleries, and travel websites.
The actors hack externally-facing services using publicly accessible exploits, most notably Telerik UI weaknesses, to install password and payment information stealing malware. The group’s operations were initially detailed in a 2020 Malwarebytes report, but Volexity provided a more in-depth study of recent breaches ascribed to them.
Additionally, the GitHub repository’s nickname “xethanh” had an account on the crdclub[.]su forum, where they sold stolen credit card information. Similar accounts were discovered on other carding communities, such as cybercarders[.]su and cardingforum[.]co, indicating that the actor prefers to sell the cards rather than use them.
Volexity explains that “The persona used for the GitHub and carding account, and several of the domains, have a history going back to 2013, which suggests the attacker may have been attempting similar attacks for up to eight years, with only one significant public mention of their activity.”
Finally, it appears that Vietnamese individuals uploaded some of the malicious files found by VirusTotal. Before initiating a campaign, threat actors generally employ VirusTotal to see how effectively antivirus products can identify their malware. Defenders can use the offered network indicators to stop XE Group operations or use these signatures to detect the danger.