XDSpy APT remained undetected since at least 2011

Pierluigi Paganini October 02, 2020

Researchers from ESET uncovered the activity of a new APT group, tracked as XDSpy, that has been active since at least 2011.

XDSpy is the name used by ESET researchers to track a nation-state actor that has been active since at least 2011. The APT group, recently discovered by ESET, targeted government and private companies in Belarus, Moldova, Russia, Serbia, and Ukraine, including militaries and Ministries of Foreign Affairs.

The activity of the cyber espionage group was first documented by ESET experts Matthieu Faou and Francis Labelle in a talk at the Virus Bulletin 2020 security conference.

“Early in 2020, ESET researchers discovered a previously undisclosed cyber espionage operation targeting several governments in Eastern Europe, the Balkans and Russia. Unusually, our research shows that this campaign has been active since at least 2011 with next to no changes in TTPs.” reads the abstract from the talk. “It is very uncommon to find a cyber espionage operation without any public reporting after almost 10 years of activity.”

Experts believe that the hacker group could have targeted many other countries and a good portion of its operations has yet to be discovered.

In February 2020 Belarussian CERT published a security advisory about an ongoing spear-phishing campaign, linked by ESET to XDSpy, targeting several Belarussian ministries and agencies. At the time, the threat actors were interested into collecting documents from government staff such as diplomats or military personnel, private companies and academic institutions. The nature of the targets suggests that the threat actor is also responsible for economic espionage operations.

Since the publishing of the advisory, the group’s operations have now gone dark.

The tools in the arsenal of the XDSpy APT are quite basic, although efficient, their primary tool is a downloader dubbed named XDDown.

The malware samples analyzed by the researchers are slightly obfuscated using string obfuscation and dynamic Windows API library loading. The malware supports multiple features, including the monitoring of removable drives, taking screenshots, exfiltrating documents, and collecting nearby Wi-Fi access point identifiers.

Experts also noticed that hackers also used NirSoft utilities to recover passwords from web browsers and email clients.

Experts observed the threat actor exploiting a remote code issue in Internet Explorer tracked as CVE-2020-0968 that was addressed by Microsoft with the release of Patch Tuesday security updates for April 2020.

“At the time it was exploited by XDSpy, no proof-of-concept and very little information about this specific vulnerability was available online,” explained ESET. “We think that XDSpy either bought this exploit from a broker or developed a 1-day exploit themselves by looking at previous exploits for inspiration.”

ESET described XDDown as a “downloader” used to infect a victim and then download secondary modules that would perform various specialized tasks.

The XDDown malware has a modular structure, some of the plugins analyzed by ESET are:

  • XDRecon: Gathers basic information about the victim machine (the computer name, the current username and the Volume Serial Number of the main drive).
  • XDList: Crawls the C: drive for interesting files (.accdb, .doc, .docm, .docx, .mdb, .xls, .xlm, .xlsx, .xlsm, .odt, .ost, .ppt, .pptm, .ppsm, .pptx, .sldm, .pst, .msg, .pdf, .eml, .wab) and exfiltrates the paths of these files. It can also take screenshots.
  • XDMonitor: Similar to XDList. It also monitors removable drives to exfiltrate the files matching an interesting extension.
  • XDUpload: Exfiltrates a hardcoded list of files from the filesystem to the C&C server, as shown in Figure 5. The paths were sent to the C&C servers by XDList and XDMonitor.
  • XDLoc: Gathers nearby SSIDs (such as Wi-Fi access points), probably in order to geo-locate the victim machines.
  • XDPass: Grabs saved passwords from various applications such as web browsers and email programs.

The analysis of the spear-phishing campaigns linked to the APT group revealed that the hackers used email subject lines with lures related to lost and found objects and the COVID-19 pandemic. These messages came with malicious attachments such as Powerpoint, JavaScript, ZIP, or shortcut (LNK) files.

ESET researchers noted that many XDSpy malware samples were compiled in the UTC+2 or UTC+3 time zone from Monday to Friday, a circumstance that suggests the involvement of professionals.

“XDSpy is a cyberespionage group mostly undetected for more than nine years while being very busy over the past few months.” concludes the report. “The group’s technical proficiency tends to vary a bit. It has used the same basic malware architecture for nine years, but it also recently exploited a vulnerability patched by the vendor but for which no public proof-of-concept exists, a so-called 1-day exploit.”

The report includes additional technical details, such as Indicators of Compromise (IoCs).

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, XDSpy)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment