silversurfer

Level 66
Verified
Trusted
Content Creator
Malware Hunter
Researchers at ESET today published details about a threat actor that has been operating for at least nine years, yet their activity attracted almost no public attention.

Going largely unnoticed for this long is a rare occurrence these days as malicious campaigns from long-standing adversaries overlap at one point or give sufficient clues for researchers to determine that the same actor is behind them.

At the Virus Bulletin 2020 security conference today, ESET provided details about the victims and operations of a newly discovered advanced persistent threat (APT) named XDSpy, after the main malware downloader used in attacks.

ESET malware researchers Matthieu Faou and Francis Labelle say that the group has been running cyber-espionage campaigns since at least 2011.

XDSpy’s main interest is in the Eastern Europe and Balkans regions (Belarus, Moldova, Russia, Serbia, and Ukraine), targeting primarily government agencies (military, Ministries of Foreign Affairs), although private companies are also among its victims.
Read more: XDSpy cyber-espionage group operated discretely for nine years
 

Andy Ful

Level 65
Verified
Trusted
Content Creator
"Rare is the APT group that goes largely undetected for nine years, but XDSpy is just that; a previously undocumented espionage group that has been active since 2011. It has attracted very little public attention, with the exception of an advisory from the Belarusian CERT in February 2020. In the interim, the group compromised many government agencies and private companies in Eastern Europe and the Balkans. "

1601659414342.png

"Even though the various malware samples don’t show a high level of sophistication in their development, the campaign appears to be well run. Over the nine years of activity, the operators carefully and consistently removed artefacts that could help unmask the developers’ or operators’ origin."


1601659316679.png


"Capabilities
XDDown is nothing but a downloader – hence our chosen name. This architecture choice is quite different from what we see in other APT malware frameworks, which tend to be quite complex with a whole set of backdoor commands and a logging mechanism. On one hand, the XDSpy approach is easier to develop but, on the other hand, it is much less flexible for the operators as a new binary needs to be built, downloaded and executed to perform any action on the compromised machine."


The white paper:
 
Last edited:

Andy Ful

Level 65
Verified
Trusted
Content Creator
It seems that AVs had problems with the below infection scenario:
  1. Use shortcuts or scripting (via the email URLs or attachments) to download and run the non-malicious downloader (XDDown executable). The code is non-malicious except using the hardcoded URL which hosts the malicious spyware plugins.
  2. The XDDown.exe downloads and loads spyware plugins (DLLs with spoofed file extensions) that are loaded by the already running process. The plugin downloader XDDown.exe is reloaded on Windows start, but it is not recognized as malicious.
  3. There are no malicious changes in the system. No privilege escalation. No persistence for spyware plugins. No backdoor commands - all malicious actions are hardcoded in a plug-in. So, the hardcoded URL in the XDDown.exe is not recognized as malicious.
  4. After some time the malware removes the traces.
:unsure::(

Edit1
The malicious actions could be probably recognized by inspecting the network traffic to the unknown (suspicious) server.
The infection chain uses also the autorun registry key to run the downloader, which is also suspicious, but can be easily overlooked if there are no other signs of infection.

Edit2
It is also an example that spear-phishing can avoid honeypots. So, malware hunters had much fewer chances to analyze this threat.
 
Last edited:

Andy Ful

Level 65
Verified
Trusted
Content Creator
@Andy Ful , where you able to get hold of a sample and also test it? I did a small search, but wasn't lucky. I felt the IOCs was a bit confusing. :unsure:
The most recent variant is accessible on Any.Run:
SHA-1 hash:
B807756E9CD7D131BD42C2F681878C7855063FE2
MD5 hash:
4aca8298c6068a5765740d5aca870422

I found the malware hash on the author's blog:
 
Last edited: