XeGroup is a long-running threat actor whose re-emergence involves opportunistic operations such as credit-card skimming, fake websites, and data sale on the dark web. The group exploits public-facing applications (notably CVE-2019-18935 on IIS), deploys ASPXSPY web shells, and uses masqueraded binaries and OSINT-linked infrastructure to operate, with attribution tying the activity to Vietnam-based entities like XeThanh/XeGroup. #XeGroup #XeThanh #ASPXSPY #CVE-2019-18935 #Magecart #ObjectFM
Keypoints
- XeGroup has been active since 2013 and engages in credit-card skimming, fake websites, and selling stolen data.
- They use supply-chain/ website compromise techniques similar to Magecart to inject skimmers into web pages.
- ASPXSPY web shells are used for persistent access and to interface with SQL Server databases; the shells include a base64-encoded, hardcoded User-Agent (“XeThanh|XeGroups”).
- The group targets government, construction, and healthcare sectors, with a notable focus on exploiting CVE-2019-18935 to compromise IIS servers.
- OSINT tracing links the actor to Vietnamese individuals (e.g., Nguyen Huu Tai) and multiple online identities across GitHub, Crowdin, Instagram, and email domains.
- Infrastructure connections tie the skimmer activity to domains like XeGroups.com and Object.fm, supporting attribution across samples from 2010–2021.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Deserialization vulnerability in Telerik.Web.UI exploited to execute code on IIS; “CISA has issued … CVE-2019-18935, … deserialization vulnerability in the Telerik.Web.UI assembly.”
- [T1100] Web Shell – Deployment of ASPXSPY web shells that provide a UI to connect to SQL Server, execute commands, and display results; “ASPXSPY web shells … provide a user interface to connect to a SQL Server database, execute SQL commands, and display the results in a table.”
- [T1195] Supply Chain Compromise – Attacks resemble Magecart style by injecting credit-card skimmers into web pages; “Supply chain attacks similar to Magecart, that inject credit card skimmers into web pages.”
- [T1027] Obfuscated/Compressed Files and Information – Masquerading EXE files as PNGs to avoid detection and a base64-encoded, hardcoded User-Agent; “masqueraded EXE files as PNG files to avoid detection” and “hardcoded User-Agent string is base64 encoded.”
- [T1059] Command and Scripting Interpreter – Reverse shell created by a masquerading EXE to communicate with XeGroups.com; “creates a reverse shell that communicates with XeGroups[.]com.”
- [T1566.001] Phishing – Phishing emails with spoofed domains impersonating legitimate companies (e.g., PayPal, eBay) to gain access to networks; “…phishing emails sent out using spoofed domains associated with legitimate companies such as PayPal and eBay.”
Indicators of Compromise
- [Domain] Compromised websites – emergencylighting.com, meiersupply.com, onehundred80degrees.com
- [Hash] Testing binary by xethanh – dfab1097f7d345cad468a5e94d03e41701c602898bb9685457f327db3158dfc7
- [Hash] 2010 sample – 5395ef75d7a6325306f186ec636edc65191e82fd6ca705c58e4355c9498bca4a
- [Hash] 2014 sample – 02c48917b15015ddd02738bc1f480f9c6379165618435855030f4c63ce372485
- [Hash] ASPXSPY hashes – Ba2109b5a3ccebbc494ee93880b55640539c7d25b85bc12189f0c671ce473771, 884c394c7b3eb757ae57050ac2e6a75385a361555e8e4272de1a3cf24746eec7
- [URL] Testing network infrastructure – repo.hyperstruct.net/mozrepl/1.0/mozrepl.xpi
- [IP] Threat actor infrastructure – 184.168.104.171
- [Domain] Skimmer infrastructure – hivnd.com, xegroups.com, xework.com, object.fm, paycashs.com, xeadult.com