The threat actors behind the xHunt Campaign from the time of its emergence have been persistently attacking organizations from Kuwait by targeting their Microsoft Exchange servers.
Researchers have recently published a report disclosing the details of the investigation of the campaign that started in September and used several new attack tactics.
- According to researchers, a new webshell called BumbleBee was used by the group associated with the xHunt campaign to upload and download files to and from the compromised Exchange server.
- The threat actors have also been using the BumbleBee webshell to run commands to discover additional systems and move laterally to other servers on the network.
- At two Kuwaiti organizations. the BumbleBee webshell was hosted on an internal Internet Information Services (IIS) webserver on the same network as the compromised Exchange server and two internal IIS web servers.
- by using VPNs provided by Private Internet Access, the threat actors ould interact directly with the BumbleBee webshell on the compromised Exchange server, while Inc. SSH tunnels were in use for indirect interaction.
IP addresses used by the threat actors appeared to be from different countries, to evade detection and complicate the analysis of malicious activities for defenders. Different OS and browsers like Mozilla Firefox or Google Chrome were used on Windows 10, Windows 8.1, or Linux systems. This stood as proof of the fact that they had access to multiple systems to evade detection.
Last November, the same set of researchers established the involvement of two backdoors named TriFive and Snugy (a variant of CASHY200) as well as the BumbleBee webshell.
To evade detection for a long duration, the xHunt campaign gang has been continuously making efforts and using their skills. Hence our internal experts recommend organizations make continuous efforts and investments to ensure robust security against such threats.
To read more, please check eScan Blog
