Specialists of the information security company ESET released information about a hacker group that, since 2011, has been stealing important information from governments and companies from Eastern Europe and the Balkan Peninsula. It is noteworthy that for more than nine years the activities of the group, dubbed XDSpy, remained virtually unnoticed, with the exception of a warning issued by the Belarusian CERT in February 2020.
XDSpy mainly targets government agencies, including the military and interior ministries, as well as private companies located in Eastern Europe and the Balkans. So far, experts have identified the only vector of attacks used by hackers to compromise victims - targeted phishing emails containing both malicious attachments and links to malicious files.
When clicking on a malicious link, the XDDown malware is installed on the computer - a downloader that loads additional malicious modules, in particular XDRecon (collects information about the target device), XDList (serves to search for interesting documents, can also take screenshots), XDMonitor (functions by analogy with XDList) and XDUpload (extracts the embedded file list from the file system and uploads it to the command and control server).
According to the researchers, the exploit used in the XDSpy attacks has similar characteristics to the tools used in the DarkHotel and Operation Domino campaigns, but ESET found no connection between the three groups. Apparently, they just use the services of the same exploit broker, experts say.