Shipping companies targeted by new malware tools that monitor their every move Watch Now

Hackers are deploying previously unknown tools in a cyberattack campaign targeting shipping and transport organisations with custom trojan malware.

Identified and detailed by researchers at Palo Alto Networks' Unit 42 threat intelligence division, the campaign has been active since at least May 2019 and focuses on transportation and shipping firms operating out of Kuwait in the Persian Gulf.

The campaign has been dubbed xHunt because the malicious tools associated with it have apparently been named by the developers after characters in anime series Hunter x Hunter.

xHunt first came to light in May after a malicious binary was found installed on the network of a victim in Kuwait. It's still not certain how machines are initially compromised, but the attackers install a backdoor named Hisoka version 0.8 which facilities the delivery of additional families of malware which appear to have been developed by the same authors.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

One of these is Gon, which allows the attacker to scan for open ports on remote systems, upload and download files, take screenshots, find other systems on the network, run commands and create its own Remote Desktop Protocol (RDP) function.

All of this ultimately allows the attackers to monitor every action on the infected system and secretly make off with files and other data.

xHunt also successfully infiltrated the networks of a second Kuwait shipping and transport firm, infected in June this year.

Researchers note that this version of Hisoka is listed as version 0.9, and it comes with additional capabilities, including the ability to transfer itself to other systems using the Server Message Block (SMB) protocol privileges from an internal IT service desk account. The malware also attempts to login to Exchange services using legitimate credentials for accounts, helping the attackers to send and receive commands.

During analysis of the malware and its activities on compromised networks, researchers found similarities in the code to another malicious tool – Sakabota – which has been active since at least July 2018. It's believed that Sakabota is the predecessor to Hisoka, developed by the same author, with additional capabilities added over the course of a year. The Gon backdoor also contains code used in Sakabota, once again pointing towards all of the tools having the same author or authors.

"The attackers have added some fun capabilities to Hisoka and its associated toolset. The attackers are aware of probable security measures in place at their targets and have attempted to develop ways to get in undetected," Ryan Olson, vice president of threat intelligence at Unit 42 told ZDNet.

Researchers suggest that some of the infrastructure and shared domains behind Hisoka, Sakabota and Gon shows potential overlaps with OilRig – also known as APT 35 and Helix Kitten – a hacking operation with links to Iranian government-backed offensive cyber campaigns. Researchers at IBM X-Force also linked recent attacks targeting Kuwait to Iran.

SEE: Cybercrime: Ransomware attacks have more than doubled this year

However, Unit 42 also notes that the difference in timing between the attacks isn't concrete evidence, as one attack group could have used the infrastructure, before another used it later down the line.

No matter who is behind the campaign, organisations can go a long way to being protected against attacks by implementing some basic cybersecurity practices.

"Organisations can protect themselves by including security tools and capabilities that look for changes in a known good state, anomalous activity on Exchange servers, and those that can detect for DNS Tunneling. It is also a good practice to continue user cybersecurity awareness and education initiatives," said Olson.

Researchers continue to monitor the activity around the attacks and are set to continue analysis to determine the ultimate goals of the attacker, as well as more information about the origin of the campaign. The indicators of compromise associated with the attacks have been shared on the Unit 42 GitHub repository.

MORE ON CYBERCRIME