xHunt Campaign Hits Kuwaiti Transportation and Shipping Firms

• The attackers are using previously unknown tools in the recent attacks.
• The current attacks are also believed to be linked to previous attacks from July 2018 to December 2018.

Overview

Researchers at Palo Alto Networks’ Unit 42 recently came across a campaign which focuses on transportation and shipping firms operating out of Kuwait in the Persian Gulf.

The malicious campaign is using previously unknown tools, and has been active since at least May 2019. The threat intelligence experts also suspect the attack may have some connection to incidents that occurred last year between July 2018 to December 2018.

These cyber-assaults come amid intensified situations in the Middle East, which have recently witnessed attacks on tankers and an oil refinery.

Blast from the past

The earlier attacks used a tool called Sakabota, which researchers address it to be a previous version of Hisoka. “Our analysis of the two campaigns revealed that Sakabota is the predecessor to Hisoka, which was first observed in May 2019,” said Palo Alto Networks researchers in an advisory.

It revealed that the Hisoka tool shared a major portion of code from Sakabota, which had led the team to believe that Hisoka evolved from Sakabota’s codebase.

“The number of functions and variable names are the same in both Sakabota and Hisoka, which infers that the same developer created both and spent little effort trying to hide this lineage,” read the advisory.

The 2018 attacks were reported by IBM’s X-Force IRIS security group as well.

The recent story

The campaign has been dubbed as xHunt because both names (Hisoka and Sakabota) are derived from the Japanese anime series Hunter x Hunter.

• In the first known attack, the actors installed a backdoor tool named Hisoka model zero.eight.
• It amenities the supply of extra households of malware to carry out post-exploitation activities.
• Through the malware, attackers can scan for open ports on remote systems, upload and download files, take screenshots, access other systems on the same network, run commands and create a Remote Desktop Protocol (RDP) function.
• The features allow attackers to monitor the system’s activities and steal files and data, Palo Alto said.
• A later version of Hisoka was detected adding more features, indicating its creators are actively developing the software.

Indicators of Compromise

All indicators associated with these activities can be found in the GitHub repository here.