Since its emergence, xHunt campaign threat actors have been continuously attacking Kuwaiti organizations, mostly by targeting Microsoft Exchange servers.
What’s new in the report?
Recently, Palo Alto Unit 42 researchers published a report related to an investigation of the campaign that started in September and uses several new attack tactics.
- According to the report, the group associated with the xHunt campaign has been using a new webshell called BumbleBee to upload and download files to and from the compromised Exchange server.
- In addition, the threat actors have been using the BumbleBee webshell to run commands to discover additional systems and move laterally to other servers on the network.
- The BumbleBee webshell has been hosted on an internal Internet Information Services (IIS) web server on the same network as the compromised Exchange server and two internal IIS web servers at two other Kuwaiti organizations.
- The threat actors could interact directly with the BumbleBee webshell on the compromised Exchange server by using VPNs provided by Private Internet Access, Inc. SSH tunnels were in use for indirect interaction.
- The threat actors IP addresses appeared to be from different countries, to evade detection and complicate the analysis of malicious activities for defenders.
- The threat actors used different OS and browsers, specifically Mozilla Firefox or Google Chrome on Windows 10, Windows 8.1, or Linux systems. This implies that they had access to multiple systems, making analysis even more difficult.
From the previous report
Earlier in November, the researchers established the involvement of two backdoors named TriFive and Snugy (a variant of CASHY200) as well as the BumbleBee webshell.
The xHunt campaign gang has been continuously making efforts and using their skills to evade detection for a long duration. Therefore, experts recommend organizations make continuous efforts and investments to ensure robust security against such threats.