New APT Group XDSpy Targets Belarus and Russian-Speakers

Security researchers have discovered a new APT group that has been stealing sensitive information from Eastern European governments and businesses for over nine years.

Dubbed “XDSpy,” the group shares no similarities of malicious code, network infrastructure or regional targets with any known APT outfit, according to ESET.

It operates largely in a GMT+2 or +3 time zone, the same as its targets, and operatives work only Monday-Friday.

It focuses exclusively on spearphishing to compromise targets, although emails could contain malicious RAR or ZIP attachments or links.

Interestingly, the group’s technical proficiency seems to vary, according to ESET.

On the one hand it has used the same malware architecture for nine years, with the main XDDown malware component downloaded to a victim computer from a C&C server. This installs additional plugins to gather basic info, crawl the C drive, exfiltrate local files, gather browser passwords and more.

However, on the other hand, it was recently spotted exploiting CVE-2020-0968. “At the time it was exploited by XDSpy, no proof-of-concept and very little information about this specific vulnerability was available online,” explained ESET. “We think that XDSpy either bought this exploit from a broker or developed a 1-day exploit themselves by looking at previous exploits for inspiration.”

The security vendor refused to speculate on who could be behind XDSpy. It is most interested in stealing information from government targets in Eastern Europe and the Balkans, including a February campaign against Belarussian institutions in February and Russian-speaking targets in September this year.

Moldova, Serbia, Russia and Ukraine have also come under attack since 2011.

“The group has attracted very little public attention so far, with the exception of an advisory from the Belarusian CERT in February 2020,” said Mathieu Faou, ESET researcher. ““Since we did not find any code similarities with other malware families, and we did not observe any overlap in the network infrastructure, we conclude that XDSpy is a previously undocumented group.”

What’s Hot on Infosecurity Magazine?