Ixeshe Threat Report: What Is Ixeshe and How Does It Work?

Ixeshe is a malware family with trojan capabilities backdoor that has been used since at least 2009 predominantly in East Asia. Ixeshe affects the following operating systems: Windows. Ixeshe can list running services, execute commands via cmd, set its own executable file's attributes to hidden, and enumerate the IP address of the target system. It also uses custom Base64 encoding schemes to obfuscate command and control traffic in the message body of HTTP requests. Ixeshe collects the username from the victim’s machine and uses HTTP for command and control. Additionally, it can list file and directory information, as well as download and execute additional files. 

Ixeshe Malware Capabilities

Ixeshe may use a number of different techniques to discover information about a system, including enumerating running processes, looking for hidden files, and checking for open ports. 

This information may be used to determine how best to proceed with an attack.Ixeshe may use a number of methods to discover information about potential targets, including looking for details about network configuration and settings, searching for files of interest, and trying to get information about the operating system and hardware. Ixeshe may also achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.

• Ixeshe may try to gather information about registered local system services. Ixeshe may obtain information about services using tools as well as OS utility commands such as 'sc query', 'tasklist /svc', 'systemctl --type=service', and 'net start'.
• Ixeshe may use the Windows command shell for execution, set files and directories to be hidden, and attempt to get information about running processes on a system in order to gain an understanding of common software/applications running on systems within the network.
• Ixeshe may use a standard data encoding system to make the content of command and control traffic more difficult to detect. They may also attempt to identify the primary user or currently logged in user in order to shape follow-on behaviors. Ixeshe may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
• The Ixeshe malware may enumerate files and directories or search for specific information within a file system. 
• Ixeshe may search for information about a system's network configuration and settings, such as IP and MAC addresses, in order to find sensitive data prior to exfiltrating it. They may also attempt to get detailed information about the system's operating system and hardware in order to determine how best to proceed with an attack.

Ways to Mitigate Ixeshe Malware Attacks

• Ixeshe malware can be mitigated by analyzing network data for uncommon data flows, monitoring for command-line deletion functions, and by using known deletion and secure deletion tools. Additionally, system and network discovery techniques should be employed to help identify potential Ixeshe malware activity.
• The Ixeshe malware can be mitigated by monitoring the file system and shell commands for files being created with a leading "." and the Windows command-line use of attrib.exe to add the hidden attribute. Additionally, system and network discovery techniques should be monitored as part of a larger chain of behavior that could lead to other activities.
• Ixeshe malware is mitigated by analyzing network data for unusual data flows. Processes that do not typically communicate over the network or that have never been seen before are considered suspicious. Additionally, packet contents should be analyzed for communications that do not follow expected protocol behavior. System and network discovery techniques should be monitored as part of a larger chain of behavior that could lead to other malicious activities.
• Mile creation and transfer activity, as well as process activity with external network connections. File hashes are collected and compared to expected values, and any discrepancies are flagged as suspicious. Additionally, any files that are modified outside of an update or patch are considered suspicious.
• Implement a system designed to monitor and detect potential file-gathering activities that may be part of a larger malicious operation. System and network discovery techniques are used to identify potential targets, and then data and events are monitored for indications of unauthorized access or activity. CLI activity and Windows management tools are specifically monitored for suspicious activity, and any suspicious activity is flagged for further investigation.

About Apt12 Threat Group

Apt12 is a Chinese threat group that has targeted media outlets, high-tech companies, and governments.