XDSpy has been stealing secrets of the authorities of Eastern European countries for more than 9 years

The main targets of XDSpy are government agencies, including the military and interior ministries, as well as private companies.1.jpg

Specialists of the information security company ESET released information about a hacker group that, since 2011, has been stealing important information from governments and companies from Eastern Europe and the Balkan Peninsula. It is noteworthy that for more than nine years the activities of the group, dubbed XDSpy, remained virtually unnoticed, with the exception of a warning issued by the Belarusian CERT in February 2020.

XDSpy mainly targets government agencies, including the military and interior ministries, as well as private companies located in Eastern Europe and the Balkans. So far, experts have identified the only vector of attacks used by hackers to compromise victims - targeted phishing emails containing both malicious attachments and links to malicious files.

When clicking on a malicious link, the XDDown malware is installed on the computer - a downloader that loads additional malicious modules, in particular XDRecon (collects information about the target device), XDList (serves to search for interesting documents, can also take screenshots), XDMonitor (functions by analogy with XDList) and XDUpload (extracts the embedded file list from the file system and uploads it to the command and control server).

In addition, since the end of June 2020, the group has been using an exploit for the vulnerability ( CVE-2020-0968 ) in the outdated JavaScript engine in the Internet Explorer browser. At that time, there was practically no PoC codes or information about this vulnerability in the public domain. According to experts, the group could either purchase an exploit from a broker or create it on their own. By the way, at the beginning of September this year, ClearSky specialists discovered a malicious RTF file uploaded to VirusTotal from Belarus, exploiting the same vulnerability.

According to the researchers, the exploit used in the XDSpy attacks has similar characteristics to the tools used in the DarkHotel and Operation Domino campaigns, but ESET found no connection between the three groups. Apparently, they just use the services of the same exploit broker, experts say.

All News

Scroll top