ESET Discloses Info on Cyber Espionage APT Group XDSpy, at the Height of Belarus Protests

essidsolutions

Researchers at ESET discovered a malicious group called XDSpy, which has been active for nearly a decade, spying on establishments in Eastern Europe, the Balkans and Russia. ESET disclosed information about  the group at the Virus Bulletin 2020 virtual event, at the height of social protests in Belarus. 

As Belarus enters its ninth straight week of protests, ESET has revealed the existence of a cyber espionage operation that works against countries in Eastern Europe, Balkans, and Russia. Dubbed XDSpy, the advanced persistent threat (APT) group has been actively targeting Belarus, Moldova, Russia, Serbia, and Ukraine since 2011.

XDSpy remained undiscovered for a better part of a decade, until ESET spotted it earlier in 2020. Researchers at the Slovak company presentedOpens a new window ESET’s findings at Virus Bulletin 2020 held virtually this year. Matthieu Faou, Researcher at ESET said, “The group has attracted very little public attention so far, with the exception of an advisory from the Belarusian CERTOpens a new window in February 2020. Since we did not find any code similarities with other malware families, and we did not observe any overlap in the network infrastructure, we conclude that XDSpy is a previously undocumented group.”

XDSpy: Targets, Standard Operations, and Components

XDSpy is mainly involved in gathering information and recon through document theft. ESET said the group’s targets, code, and infrastructure show little or no resemblance to other APT groups currently out in the open. Contrary to how one might think, and in line with the corporate work cycle, XDSpy operates on a Monday to Friday basis, in its target’s time zone viz., GMT +2 and +3.

Its targets are mainly government agencies as well as some private players, along with military establishments. The group relies on the most rudimentary hacking practices like email-based spear phishing to get through and compromise targets. This email screengrab is an example of one such attempt:

#ESETresearchOpens a new window uncovered #XDSpyOpens a new window , a new APT group active since 2011. Over the years, it has compromised many governments in Belarus, Moldova, Russia, Ukraine and Serbia. We found that the initial compromise vector is a spearphishing email. @matthieu_faouOpens a new window pic.twitter.com/pfmRg1AVuVOpens a new window

— ESET research (@ESETresearch) October 2, 2020Opens a new window

A rough translation of the email screengrab in the tweet above is as follows: 

“Good afternoon!

I am sending you a copy of the letter and photo materials based on the results of the work. Click on the link to download: photo materials_11.02.2020.zip

We are waiting for an answer until the end of the working day.”

See Also: 3 Out of 10 Workers Clicked a Phishing Link in the Past Year: Webroot Survey

The email may contain a malicious link  or ZIP, RAR, powerpoint, or LNK (shortcut) file, which if executed, sets up a malware component on the target system through an illicit script. The malware component, called XDDown is a malicious downloader which further downloads and installs additional malware modules, thereby freeing itself from suspicion and being detected as a malicious file. Each downloaded and installed module has a specialized function to perform. They are: 

  1. XDREcon: Scans, collects and sends technical information of the local host/target system XDDown or XDSpy command & control (C&C) server.
  2. XDList: Scans the target for particular files based on their extension. Extensions like .accdb, .doc, .docm, .docx, .mdb, .xls, .xlm, .xlsx, .xlsm, .odt, .ost, .ppt, .pptm, .ppsm, .pptx, .sldm, .pst, .msg, .pdf, .eml, .wab can be found using XDList
  3. XDMonitor: Monitors target device connections and exfiltrates monitored data
  4. XDUpload: An exfiltration module that sends files recognized by CDList, to the c&c server through XDUpload module
  5. XDLoc: Gets info on WiFi networks in the target system’s vicinity
  6. XDPass: A password extraction module for browsers

XDSpy Malware Architecture

Souce: ESET

Indicators of Compromise

Following are the indicators of compromise upon successful infiltration of target system:

Sample Hashes

SHA-1 hash ESET Detection Name Description
C125A05CC87EA45BB5D5D07D62946DAEE1160F73 JS/TrojanDropper.Agent.OAZ Spear phishing email (2015)
99729AC323FC8A812FA2C8BE9AE82DF0F9B502CA LNK/TrojanDownloader.Agent.YJ Malicious LNK downloader
63B988D0869C6A099C7A57AAFEA612A90E30C10F Win64/Agent.VB XDDown
BB7A10F816D6FFFECB297D0BAE3BC2C0F2F2FFC6 Win32/Agent.ABQB XDDown (oldest known sample)
844A3854F67F4F524992BCD90F8752404DF1DA11 Win64/Spy.Agent.CC XDRecon
B333043B47ABE49156195CC66C97B9F488E83442 Win64/Spy.Agent.CC XDUpload
83EF84052AD9E7954ECE216A1479ABA9D403C36D Win64/Spy.Agent.CC XDUpload
88410D6EB663FBA2FD2826083A3999C3D3BD07C9 Win32/Agent.ABYL XDLoc
CFD43C7A993EC2F203B17A9E6B8B392E9A296243 Win32/PSW.Agent.OJS XDPass
3B8445AA70D01DEA553A7B198A767798F52BB68A DOC/Abnormal.V Malicious RTF file that downloads the CVE-2020-0968 exploit
AE34BEDBD39DA813E094E974A9E181A686D66069 Win64/Agent.ACG XDDown
5FE5EE492DE157AA745F3DE7AE8AA095E0AFB994 VBS/TrojanDropper.Agent.OLJ Malicious script (Sep 2020)
B807756E9CD7D131BD42C2F681878C7855063FE2 Win64/Agent.AEJ XDDown (most recent as of writing)

 

Filenames

  • %APPDATA%Temp.NETarchset.dat
  • %APPDATA%Temp.NEThdir.dat
  • %APPDATA%Temp.NETlist.dat
  • %TEMP%tmp%YEAR%%MONTH%%DAY%_%TICK_COUNT%.s
  • %TEMP%fl637136486220077590.data
  • wgl.dat

Networks

Used in 2019-2020

  • boborux[.]com
  • daftsync[.]com
  • documentsklad[.]com
  • downloadsprimary[.]com
  • dropsklad[.]com
  • easytosay[.]org
  • filedownload[.]email
  • getthatupdate[.]com
  • officeupdtcentr[.]com
  • wildboarcontest[.]com

Old Network Infrastructure

  • 62.213.213[.]170
  • 93.63.198[.]40
  • 95.215.60[.]53
  • forgeron[.]tk
  • jahre999[.]tk
  • omgtech.000space[.]com
  • podzim[.]tk
  • porfavor876[.]tk
  • replacerc.000space[.]com
  • settimana987[.]tk

See Also: Microsoft Warns of Cyberattacks From Russia, China & Iran Ahead of U.S. Election

XDSpy went under for a few months from March to June in 2020 after an advisory was issued by CERT Belarus in February, but the APT group was back to its cyber espionage activities thereafter, exploiting vulnerabilities in the legacy JavaScript engine in Internet Explorer.

Faou told ZDNetOpens a new window that the group managed to stay undetected for nine long years through two techniques: through a killswitch that disabled plugins after a certain date has passed, and the fact that they do not have a persistent mechanism. He said, “They were able to use the same code base for 9 years while being able to evade some security products by tweaking the obfuscation.”

Now with anti-incumbency protests in Belarus raging on for the ninth consecutive Sunday following the country’s presidential elections a couple of months ago, the malicious group may have found an opening and ramped up operations in the region.

Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA