ESET Researchers discovered a threat group named XDSpy that remained undetected for nine years and has compromised many government agencies.
ESET Researchers discovered a threat group named XDSpy that remained undetected for nine years and has compromised many government agencies.
At the Virus Bulletin 2020 security conference, ESET experts Matthieu Faou and Francis Labelle provided details about the victims and operations of a newly discovered advanced persistent threat (APT) named XDSpy, after the main downloader used in attacks.
ESET researchers said that the campaign was active since 2011 and targeted countries Belarus, Russia, Moldova, Ukraine and Serbia.
According to experts, the hacker group could have targeted many other countries, and a good portion of its operations are yet to be discovered.
In February 2020, the national cybersecurity incident response team (CERT) in Belarus, published an advisory on an XDSpy spear-phishing campaign spread to more than 100 targets including Belusarian ministries and agencies. Threat actors at that time were interested in collecting documents from government staff such as military personnel or diplomats, academic institutions and private companies.
The tool in the arsenal of the XDSpy APT is a downloader dubbed XDDown and is used to infect victims and then download secondary modules that would execute various specialised tasks.
The hackers used NirSoft utilities to recover passwords from email clients and web browsers.
ESET discovered multiple plugins used by XDDown, some of the modules include:
- XDRecon: Obtains necessary information about the victim machine (computer name, current username, volume serial number of the main drive)
- XDList: Takes screenshots, crawls the C: drive for interesting files (.accdb, .doc, .docm, .docx, .mdb, .xls, .xlm, .xlsx, .xlsm, .odt, .ost, .ppt, .pptm, .ppsm, .pptx, .sldm, .pst, .msg, .pdf, .eml, .wab) and exfiltrates the paths of these files.
- XDMonitor: Monitors removable drives to exfiltrate the files matching an interesting extension.
- XDUpload: Steals a hardcoded list of files from the filesystem to the C&C server.
- XDLoc: Collects nearby SSIDs (such as Wi-Fi access points), likely for geo-location purposes.
- XDPass: Extracts passwords from applications such as web browsers and email programs.
ESET researchers report that many XDSpy malware samples were compiled in the UTC+2 or UTC+3 time zone from Monday to Friday, a situation that indicates the involvement of professionals.
“XDSpy is a cyberespionage group mostly undetected for more than nine years while being very busy over the past few months.” concludes the report.
“The group’s technical proficiency tends to vary a bit. It has used the same basic malware architecture for nine years, but it also recently exploited a vulnerability patched by the vendor, but for which no public proof-of-concept exists, a so-called 1-day exploit.”
On its GitHub page, ESET published additional technical details such as Indicators of Compromise (IoCs).
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?