A campaign targeting transportation and shipping organizations based in Kuwait was observed employing previously undocumented tools, Palo Alto Networks reports.
Carried out between May and June 2019 and dubbed xHunt, the campaign leveraged tools created by the same developer, and Palo Alto Networks’ security researchers managed to track some of them back to July 2018.
As part of the attacks, the threat actor used backdoors referred to as Sakabota, Hisoka, Netero and Killua, which use HTTP for their command and control (C&C) channels, with some variants employing DNS tunneling or emails for communication purposes.
Particular to this campaign was the use of a specific DNS tunneling method that leverages Exchange Web Services (EWS) and stolen credentials to create email “drafts” that are exchanged between the attackers and the tool.
In addition to these backdoors, the threat actor employed tools referred to as Gon and EYE, which too provide backdoor access to the infected systems.
The researchers were able to identify related activity that targeted Kuwait between July and December 2018. Although no direct infrastructure overlap was observed, “historical analysis shows that the 2018 and 2019 activities are likely related,” the security researchers say.
As part of an attack on May 19, the threat actor deployed Gon and EYE within two hours after gaining initial access via Hisoka, which allows attackers to remotely control the infected systems. The researchers have identified two versions of Hisoka, both containing the same functionality.
Through Gon, the attackers can “scan for open ports on remote systems, upload and download files, take screenshots, find other systems on the network, run commands on remote systems and create a Remote Des ..
Support the originator by clicking the read the rest link below.
