Emotet now drops Cobalt Strike, fast forwards ransomware attacks
SonicWall ‘strongly urges’ customers to patch critical SMA 100 bugs
Grafana fixes zero-day vulnerability after exploits spread over Twitter
Microsoft starts rolling out redesigned Notepad for Windows 11
Amazon is shutting down web ranking site Alexa.com
New Windows 11 Voice Access lets you control the OS with your voice
Windows 11 can now install WSL from the Microsoft Store
Microsoft: Secured-core servers help prevent ransomware attacks
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Toksearches.xyz Search Redirect
Remove the Smashapps.net Search Redirect
Remove the Smashappsearch.com Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Credit card theft
A relatively unknown group of Vietnamese hackers calling themselves ‘XE Group’ has been linked to eight years of for-profit hacking and credit card skimming.
The threat actors are thought to be responsible for the theft of thousands of credit cards per day, mainly from restaurants, non-profit, art, and travel platforms.
The actors use publicly available exploits to compromise externally-facing services, prominently Telerik UI flaws, to install credential and payment info stealing malware.
A 2020 Malwarebytes report first outlined the group’s activities, but a more in-depth analysis of recent compromises attributed to it was published by Volexity yesterday.
Volexity was able to map the infrastructure used by the XE Group in the last three years and shared all the technical details and IOCs on GitHub.
The researchers could find many infected sites carrying the same skimmer thanks to a common technique in loading malicious JavaScript snippets.
“The code used to load the malicious JavaScript from this page reveals that the attacker uses an interesting technique: the JavaScript keyword “object” is used to populate the domain value,” the researchers shared in the Volexity report.
These types of breaches are categorized as “Magecart” attacks, which is when a threat actor hacks an eCommerce site to add malicious JavaScript that collects customer and payment information as it is submitted. This stolen information is then uploaded to a remote server to be collected by the attackers.
The long-term success of these attacks depends on how well they can remain hidden on a website without being detected by security products.
Uploading the sample of this skimmer to VirusTotal returns a perfect 0/57 detection score, meaning this group’s JavaScript is very stealthy against AV detection.
Compared to the 2020 version analyzed by Malwarebytes, the new report found the following differences:
All in all, the latest skimmer features subtle improvements over last year’s samples and continues to effectively snatch any form of data that victims enter onto pages that load the malicious JavaScript.
An example of the data that is stolen using this from these websites is:
Volexity attributes the XE Group’s activity to Vietnamese threat actors as several of the domain names used for command and control servers are registered to a person in Vietnam.
While domain registration information can be faked, the researchers linked the registrant, Joe Nguyen, to a GitHub repository using the XE avatar created by someone of the same name.
Additionally, the nickname “xethanh” associated with the GitHub repository also had an account on the crdclub[.]su forum where they offered stolen credit card information.
The researchers found similar accounts on other carding forums such as cybercarders[.]su and cardingforum[.]co, so the actor prefers selling the card instead of using them.
“The persona used for the GitHub and carding account, and several of the domains, have a history going back to 2013, which suggests the attacker may have been attempting similar attacks for up to eight years, with only one significant public mention of their activity,” explained Volexity
Finally, some of the malware files discovered in VirusTotal appear to have been uploaded by Vietnamese users. Threat actors commonly use VirusTotal before launching campaigns to test how well antivirus software can detect their malware.
Defenders can block XE Group attacks using the provided network indicators or detect the threat using these signatures.
Hackers infect random WordPress plugins to steal credit cards
New malware hides as legit nginx process on e-commerce servers
New Linux malware hides in cron jobs with invalid dates
UK govt warns thousands of SMBs their online stores were hacked
Hackers deploy Linux malware, web skimmer on e-commerce servers
Not a member yet? Register Now
Google disrupts massive Glupteba botnet, sues Russian operators
Grafana fixes zero-day vulnerability after exploits spread over Twitter
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

AMD fixes dozens of Windows 10 graphics driver security bugs

HPE says hackers breached Aruba Central using stolen access keyFBI warns of…

Victims of $2 billion BitConnect fraud to get back $57 million

US indicts Iranian hackers for Proud Boys voter intimidation emailsWinamp prepares a…

Ukraine arrests 51 for selling data of 300 million people in US, EU

Attackers can get root by crashing Ubuntu’s AccountsServiceAttackers can get root by…

Robinhood discloses data breach impacting 7 million customers

State hackers breach defense, energy, healthcare orgs worldwideMediaMarkt hit by Hive ransomware,…