December 1, 2023

XDSpy the APT group, recently discovered by researchers, targeted government and private companies in Belarus, Moldova, Russia, Serbia, and Ukraine, including militaries and Ministries of Foreign Affairs.

Experts believe that the hacker group could have targeted many other countries and a good portion of its operations has yet to be discovered.

The tools in the arsenal of the XDSpy APT are quite basic, although efficient, their primary tool is a downloader dubbed named XDDown.

The malware samples analyzed by the researchers are slightly obfuscated using string obfuscation and dynamic Windows API library loading. The malware supports multiple features, including the monitoring of removable drives, taking screenshots, exfiltrating documents, and collecting nearby Wi-Fi access point identifiers.

Experts also noticed that hackers also used NirSoft utilities to recover passwords from web browsers and email clients.

Experts observed the threat actor exploiting a remote code issue in Internet Explorer tracked as CVE-2020-0968 that was addressed by Microsoft with the release of Patch Tuesday security updates for April 2020.

ESET described XDDown as a “downloader” used to infect a victim and then download secondary modules that would perform various specialized tasks.

The XDDown malware has a modular structure, some of the plugins analyzed by ESET are:

  • XDRecon
  • XDList
  • XDMonitor
  • XDUpload
  • XDLoc.
  • XDPass

The analysis of the spear-phishing campaigns linked to the APT group revealed that the hackers used email subject lines with lures related to lost and found objects and the COVID-19 pandemic. These messages came with malicious attachments such as Powerpoint, JavaScript, ZIP, or shortcut (LNK) files.

“XDSpy is a cyberespionage group mostly undetected for more than nine years while being very busy over the past few months.” concludes the report. “The group’s technical proficiency tends to vary a bit. It has used the same basic malware architecture for nine years, but it also recently exploited a vulnerability patched by the vendor but for which no public proof-of-concept exists, a so-called 1-day exploit.”

Leave a Reply

%d bloggers like this: