xHunt campaign threat actors have been continuously attacking Kuwaiti organizations, mostly by targeting Microsoft Exchange servers.

Recently, researchers published a report related to an investigation of the campaign that uses several new attack tactics.

  • The group associated with the xHunt campaign has been using a new webshell called BumbleBee to upload and download files to and from the compromised Exchange server.
  • The threat actors have been using the BumbleBee webshell to run commands to discover additional systems and move laterally to other servers on the network.
  • The BumbleBee webshell has been hosted on an internal Internet Information Services (IIS) web server on the same network as the compromised Exchange server and two internal IIS web servers at two other Kuwaiti organizations.
  • The threat actors could interact directly with the BumbleBee webshell on the compromised Exchange server by using VPNs provided by Private Internet Access, Inc. SSH tunnels were in use for indirect interaction.

Evading Detection

  • The threat actors IP addresses appeared to be from different countries, to evade detection and complicate the analysis of malicious activities for defenders.
  • The threat actors used different OS and browsers, specifically Mozilla Firefox or Google Chrome on Windows 10, Windows 8.1, or Linux systems. This implies that they had access to multiple systems, making analysis even more difficult.

Conclusion

The xHunt campaign gang has been continuously making efforts and using their skills to evade detection for a long duration. Therefore, experts recommend organizations make continuous efforts and investments to ensure robust security against such threats.