Home Malware Programs Malware xHunt

xHunt

Posted: October 2, 2019

xHunt is a cyber-espionage campaign that consists of a close family of backdoor Trojans and related tools. These threats can capture screenshots, perform file operations like downloading, change port settings, run commands remotely and conduct other attacks. Workers in Kuwait's shipping sector should be vigilant against phishing e-mail attempts, especially and protect their systems with anti-malware security for removing xHunt Trojans.

The Hunt that Begins with a Japanese Cartoon

Kuwait's shipping and transportation companies are under assault by a threat whose theming is highly regionally inappropriate: a series of anime motif Trojans. The campaign, xHunt, encompasses a core backdoor Trojan, its apparent replacements and updates, a higher-level Trojan that provides more enhanced capabilities to the hacker and other tools. Workers in the vulnerable sector suffering these attacks face a loss of sensitive credentials, potential network-traversing infections and other consequences.

It's not known whether xHunt's attacks are for sabotage, profit or intelligence-gathering operations. Although malware analysts can't examine every infection vector, phishing e-mail seems responsible for some of the most recent incidents. Such attacks can employ customized, workplace-relevant content for convincing the recipient into opening a corrupted document and starting the infection process.

Some of the core threats that are identifiable in xHunt include:

  • Sakabota is a backdoor Trojan that forms the apparent progenitor of the rest of its family.
  • Hisoka which is available in at least two versions, is a recent update to Sakabota, with similar, remote control-oriented features.
  • Killua is an updated version of Hisoka, in turn, with a just as strict payload that's secured with additional, DNS tunneling techniques.
  • Gon is a more comprehensive and invasive backdoor Trojan than the others, which may drop it. Gon can control port settings, run CMD style system commands, pass files from the system to a C&C server or vice versa, collect information via screenshots, create a user-friendly RDP session for an evil-minded admin and perform lateral traversal.
  • The other tool of note is EYE, which is unlike any of the other four Trojans in this family. EYE serves as an emergency escape hatch for the threat actor's evasion purposes. If it detects a 'normal' user's logging into the system, EYE wipes all evidence of the threat actor's activities, such as closing memory processes.

Readers may or may not notice the shared theme: most elements of xHunt's campaign involve references to Hunter x Hunter, a famous Japanese action cartoon. This quirk goes even so far as Gon's admin panel, which shows silhouettes of the show's protagonists.

Ending the Hunt that Preys on Transportation Hardware

As the list of related threats shows, xHunt's members are updating and undergoing replacements and rotations semi-routinely. Accordingly, new attacks may not conform to the previous symptoms and techniques of old ones, such as e-mail attachments delivering corrupted PowerShell payloads. However, disabling macros for documents and spreadsheets is always preferable for the security of any PC. There also is some C&C infrastructural overlap between xHunt and the strategies of OilRig, an Iranian threat actor – although this detail could be incidental – which emphasizes the likely further involvement of these Trojans in nearby regions.

Unimpeded xHunt payloads provide a limited, but powerful, backdoor into the computer for enabling more in-depth attacks through more advanced tools. Victims should be aware of the likely loss of passwords and other credentials, the possibility of xHunt Trojans moving throughout networks, and the chances of threat actors making system changes, uploading files, or downloading other threats. Fortunately, for now, malware experts see no signs of xHunt's intruding outside of its narrow niche, either geo-locationally or concerning the targeted businesses.

Shipping and transportation entities in the Middle East can protect their networks with strict firewall policies, instructing employees on phishing avoidance and other methods. Anti-malware services still are the best hope of identifying and deleting any xHunt Trojan in time.

As xHunt's hunting for victims goes on, there's more worth discovering about its distribution models, infrastructure and even the author behind these Trojans. Whether xHunt is benefiting from state financing or not, it's a problem worth considering before it's in the heart of your network.

Loading...