Researchers at ESET discovered a malicious group called XDSpy, which has been active for nearly a decade, spying on establishments in Eastern Europe, the Balkans and Russia. ESET disclosed information about the group at the Virus Bulletin 2020 virtual event, at the height of social protests in Belarus.Â
As Belarus enters its ninth straight week of protests, ESET has revealed the existence of a cyber espionage operation that works against countries in Eastern Europe, Balkans, and Russia. Dubbed XDSpy, the advanced persistent threat (APT) group has been actively targeting Belarus, Moldova, Russia, Serbia, and Ukraine since 2011.
XDSpy remained undiscovered for a better part of a decade, until ESET spotted it earlier in 2020. Researchers at the Slovak company presentedOpens a new window ESET’s findings at Virus Bulletin 2020 held virtually this year. Matthieu Faou, Researcher at ESET said, “The group has attracted very little public attention so far, with the exception of an advisory from the Belarusian CERTOpens a new window in February 2020. Since we did not find any code similarities with other malware families, and we did not observe any overlap in the network infrastructure, we conclude that XDSpy is a previously undocumented group.â€
XDSpy: Targets, Standard Operations, and Components
XDSpy is mainly involved in gathering information and recon through document theft. ESET said the group’s targets, code, and infrastructure show little or no resemblance to other APT groups currently out in the open. Contrary to how one might think, and in line with the corporate work cycle, XDSpy operates on a Monday to Friday basis, in its target’s time zone viz., GMT +2 and +3.
Its targets are mainly government agencies as well as some private players, along with military establishments. The group relies on the most rudimentary hacking practices like email-based spear phishing to get through and compromise targets. This email screengrab is an example of one such attempt:
#ESETresearchOpens a new window uncovered #XDSpyOpens a new window , a new APT group active since 2011. Over the years, it has compromised many governments in Belarus, Moldova, Russia, Ukraine and Serbia. We found that the initial compromise vector is a spearphishing email. @matthieu_faouOpens a new window pic.twitter.com/pfmRg1AVuVOpens a new window
— ESET research (@ESETresearch) October 2, 2020Opens a new window
A rough translation of the email screengrab in the tweet above is as follows:Â
“Good afternoon!
I am sending you a copy of the letter and photo materials based on the results of the work. Click on the link to download: photo materials_11.02.2020.zip
We are waiting for an answer until the end of the working day.â€
See Also: 3 Out of 10 Workers Clicked a Phishing Link in the Past Year: Webroot Survey
The email may contain a malicious link or ZIP, RAR, powerpoint, or LNK (shortcut) file, which if executed, sets up a malware component on the target system through an illicit script. The malware component, called XDDown is a malicious downloader which further downloads and installs additional malware modules, thereby freeing itself from suspicion and being detected as a malicious file. Each downloaded and installed module has a specialized function to perform. They are:Â
- XDREcon: Scans, collects and sends technical information of the local host/target system XDDown or XDSpy command & control (C&C) server.
- XDList: Scans the target for particular files based on their extension. Extensions like .accdb, .doc, .docm, .docx, .mdb, .xls, .xlm, .xlsx, .xlsm, .odt, .ost, .ppt, .pptm, .ppsm, .pptx, .sldm, .pst, .msg, .pdf, .eml, .wab can be found using XDList
- XDMonitor: Monitors target device connections and exfiltrates monitored data
- XDUpload: An exfiltration module that sends files recognized by CDList, to the c&c server through XDUpload module
- XDLoc: Gets info on WiFi networks in the target system’s vicinity
- XDPass: A password extraction module for browsers
XDSpy Malware Architecture
Souce: ESET
Indicators of Compromise
Following are the indicators of compromise upon successful infiltration of target system:
Sample Hashes
SHA-1 hash | ESET Detection Name | Description |
C125A05CC87EA45BB5D5D07D62946DAEE1160F73 | JS/TrojanDropper.Agent.OAZ | Spear phishing email (2015) |
99729AC323FC8A812FA2C8BE9AE82DF0F9B502CA | LNK/TrojanDownloader.Agent.YJ | Malicious LNK downloader |
63B988D0869C6A099C7A57AAFEA612A90E30C10F | Win64/Agent.VB | XDDown |
BB7A10F816D6FFFECB297D0BAE3BC2C0F2F2FFC6 | Win32/Agent.ABQB | XDDown (oldest known sample) |
844A3854F67F4F524992BCD90F8752404DF1DA11 | Win64/Spy.Agent.CC | XDRecon |
B333043B47ABE49156195CC66C97B9F488E83442 | Win64/Spy.Agent.CC | XDUpload |
83EF84052AD9E7954ECE216A1479ABA9D403C36D | Win64/Spy.Agent.CC | XDUpload |
88410D6EB663FBA2FD2826083A3999C3D3BD07C9 | Win32/Agent.ABYL | XDLoc |
CFD43C7A993EC2F203B17A9E6B8B392E9A296243 | Win32/PSW.Agent.OJS | XDPass |
3B8445AA70D01DEA553A7B198A767798F52BB68A | DOC/Abnormal.V | Malicious RTF file that downloads the CVE-2020-0968 exploit |
AE34BEDBD39DA813E094E974A9E181A686D66069 | Win64/Agent.ACG | XDDown |
5FE5EE492DE157AA745F3DE7AE8AA095E0AFB994 | VBS/TrojanDropper.Agent.OLJ | Malicious script (Sep 2020) |
B807756E9CD7D131BD42C2F681878C7855063FE2 | Win64/Agent.AEJ | XDDown (most recent as of writing) |
Â
Filenames
- %APPDATA%Temp.NETarchset.dat
- %APPDATA%Temp.NEThdir.dat
- %APPDATA%Temp.NETlist.dat
- %TEMP%tmp%YEAR%%MONTH%%DAY%_%TICK_COUNT%.s
- %TEMP%fl637136486220077590.data
- wgl.dat
Networks
Used in 2019-2020
- boborux[.]com
- daftsync[.]com
- documentsklad[.]com
- downloadsprimary[.]com
- dropsklad[.]com
- easytosay[.]org
- filedownload[.]email
- getthatupdate[.]com
- officeupdtcentr[.]com
- wildboarcontest[.]com
Old Network Infrastructure
- 62.213.213[.]170
- 93.63.198[.]40
- 95.215.60[.]53
- forgeron[.]tk
- jahre999[.]tk
- omgtech.000space[.]com
- podzim[.]tk
- porfavor876[.]tk
- replacerc.000space[.]com
- settimana987[.]tk
See Also: Microsoft Warns of Cyberattacks From Russia, China & Iran Ahead of U.S. Election
XDSpy went under for a few months from March to June in 2020 after an advisory was issued by CERT Belarus in February, but the APT group was back to its cyber espionage activities thereafter, exploiting vulnerabilities in the legacy JavaScript engine in Internet Explorer.
Faou told ZDNetOpens a new window that the group managed to stay undetected for nine long years through two techniques: through a killswitch that disabled plugins after a certain date has passed, and the fact that they do not have a persistent mechanism. He said, “They were able to use the same code base for 9 years while being able to evade some security products by tweaking the obfuscation.â€
Now with anti-incumbency protests in Belarus raging on for the ninth consecutive Sunday following the country’s presidential elections a couple of months ago, the malicious group may have found an opening and ramped up operations in the region.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!