An ESET investigation reveals the existence of a new APT group, called XDSpy, which has been operating for almost 10 years stealing confidential documents from European governments.
ESET, one of the most recognized computer security companies worldwide, published a report recent where it reveals the existence of a group of APT (Advanced Persistent Threat) which has orchestrated a large number of stealthy attacks against many government agencies, businesses and private companies located in countries in Eastern Europe and the Balkans.
The group, known as XDSpyIs operating since 2011 but has remained undetected by authorities. The security firm notes that only the Belarusian Computer Emergency Response Team (CERT) reported a similar attack by an ATP group in February 2020. In its release, the CERT reported that it had detected another malware distribution campaign, which sends malicious software to real government employees through their emails, compromising the confidential data they handle. The CERT highlighted that the main attack vector of these groups are official employees of government agencies and entities. ESET links these attacks to the recently discovered XDSpy group.
It may interest you: ESET discovers new malware family capable of mining and stealing cryptocurrencies
The main objectives of XCSpy
“XDSpy group targets are located in Eastern Europe and the Balkans and are primarily government entities, including the military, foreign ministries, and private companies.”
ESET research suggests that XDSpy is primarily targeting these government agencies in Eastern European countries such as Belarus, Moldova, Russia, Serbia, and Ukraine. Additionally, XDSpy has been attacking other private entities and companies for the theft of sensitive information, so this attack group’s espionage is not only aimed at state secrets and confidential documents, but also at economic espionage within these countries.
The security firm was also unable to link the XDSpy attacks to other known malware attacks, noting that it is a fairly unique group that applies different attack methods, ranging from emails to attacks. Phishing to the leak of spyware.
Almost 10 years of unnoticed activity
The most worrying thing that ESET reveals is that XDSpy has been operational since at least 2011 and that it has been orchestrating attacks with very basic but effective tools that have hidden it from the public eye. To date, there is very little documented information about this cyber espionage group, something that for the security firm is very unusual, since the attack group has been active for almost 10 years.
ESET research also indicates that the XDSpy malware ecosystem consists of at least seven spyware programs, such as: XDDown, XDRecon, XDList, XDMonitor, XDUpload, XDLoc y XDPass, designed to collect personal information from compromised computers, track and exfiltrate specific documents and file paths, monitor removable drives, store application and account access passwords, and much more. Through these softwares, the group has been monitoring government agencies’ removable drives, taking screenshots, and exfiltrating sensitive documents.
ESET also reveals that it found a custom module in ATP, likely with the aim of collecting nearby Wi-Fi access point identifiers to locate compromised machines and devices. ESET also reveals that this attack group uses NirSoft utilities to recover passwords from web browsers and email clients, which undoubtedly reveals the goal of this malware campaign.
Phishing and Malware
Some of the emails sent by the XDSpy group to government agency officials contain attachments, while others contain links to malicious or malware-infected files. The emails may contain ZIP or RAR archives, which contain an LNK file that downloads an additional script that directly installs the XDDown software on the compromised computer.
On the other hand, the firm reveals that in recent months another of the attacks that this group is commonly executing is due to a vulnerability present in Internet Explorer, the vulnerability CVE-2020-0968, which allows the C&C server to deliver an RTF file that, once opened, downloads an HTML file used to exploit the aforementioned vulnerability and infect the computer. The CVE-2020-0968 exploit, which is one of the Internet Explorer vulnerabilities disclosed in the last 2 years, bears quite a similarity to vulnerabilities exploited by other attack groups, such as DarkHotel y Operation Domino , so ESET assumes that these groups share the same intermediary to obtain the exploits.
ESET concludes that XDSpy uses a variety of malware that is relatively simple and does not display the use of advanced techniques, but is quite effective in achieving its objectives. The security firm will continue to investigate and monitor the attack activities of this very particular APT group.
Continue reading: Anubis, the new malware capable of stealing cryptocurrency wallet credentials
