Frame-14

Privacy Ninja

        • DATA PROTECTION

        • Email Spoofing Prevention
        • Check if your organization email is vulnerable to hackers and put a stop to it. Receive your free test today!
        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • AntiHACK Phone
        • Boost your smartphone’s security with enterprise-level encryption, designed by digital forensics and counterintelligence experts, guaranteeing absolute privacy for you and up to 31 others, plus a guest user, through exclusive access.

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$3,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Secure your digital frontiers with our API penetration testing service, meticulously designed to identify and fortify vulnerabilities, ensuring robust protection against cyber threats.

        • Network Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Mobile Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Web Penetration Testing
        • Fortify your web presence with our specialized web penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats.

        • RAPID DIGITALISATION

        • OTHERS

XDSpy Cyber-Espionage Group Operated Discretely For Nine Years

XDSpy Cyber-Espionage Group Operated Discretely For Nine Years

Researchers at ESET today published details about a threat actor that has been operating for at least nine years, yet their activity attracted almost no public attention.

Going largely unnoticed for this long is a rare occurrence these days as malicious campaigns from long-standing adversaries overlap at one point or give sufficient clues for researchers to determine that the same actor is behind them.

At the Virus Bulletin 2020 security conference today, ESET provided details about the victims and operations of a newly discovered advanced persistent threat (APT) named XDSpy, after the main malware downloader used in attacks.

ESET malware researchers Matthieu Faou and Francis Labelle say that the group has been running cyber-espionage campaigns since at least 2011.

XDSpy’s main interest is in the Eastern Europe and Balkans regions (Belarus, Moldova, Russia, Serbia, and Ukraine), targeting primarily government agencies (military, Ministries of Foreign Affairs), although private companies are also among its victims.

Before ESET’s report, the national cybersecurity incident response center (CERT) in Belarus published in February 2020 an advisory on an XDSpy spear phishing campaign spread to more than 100 targets, among them:

  • Council of the Republic
  • Council of Ministers
  • Ministry of Economics
  • Ministry of Finance
  • Ministry of Industry
  • Ministry of Information
  • State Committee for Standardization
  • Law enforcement agencies as well as individuals and legal entities

Based on the malicious code used in attacks, network infrastructure, and victimology, ESET researchers could not confidently link XDSpy activity to a known APT group. Provided the long-term activity and other factors, behind XDSpy is likely a professional actor.

“We believe that the developers might be working in the UTC+2 or UTC+3 time zone, which is also the time zone of most of the targets. We also noticed they were only working from Monday to Friday, suggesting a professional activity” – ESET

Attack tools and tactics

Spear phishing appears to be the main attack vector of the group, with emails that either contain a malicious file or link to one (typically a ZIP or RAR archive).

The archive contains a LNK file that downloads a script that installs XDDown, the main component used by the group to establish persistence and download malicious plugins from the command and control server (hardcoded).

Also Read: How To Check Data Breach And How Can We Prevent It

ESET discovered multiple plugins used by XDSpy for reconnaissance, gathering details, and stealing files of interest based on their extension:

  • XDRecon: collects basic information about the victim machine (computer name, current username, volume serial number of the main drive)
  • XDList: takes screenshots, crawls the C: drive for interesting files (.accdb, .doc, .docm, .docx, .mdb, .xls, .xlm, .xlsx, .xlsm, .odt, .ost, .ppt, .pptm, .ppsm, .pptx, .sldm, .pst, .msg, .pdf, .eml, .wab) and exfiltrates their paths
  • XDMonitor: monitors removable drives to steal the files matching an interesting extension.
  • XDUpload: steals a hardcoded list of files from the filesystem
  • XDLoc: collects nearby SSIDs (such as Wi-Fi access points), likely for geo-location purposes
  • XDPass: steals passwords from applications such as web browsers and email programs

In more recent operations (end of June), the actor exploited a vulnerability in Internet Explorer (CVE-2020-0968 – patched in April) on which little was known at the time and no proof-of-concept exploit code existed.

“We think that XDSpy either bought this exploit from a broker or developed a 1-day exploit themselves by looking at previous exploits for inspiration” – ESET

The exploit used in that attack, though, had similarities with other exploits used by DarkHotel APT. However, ESET believes there is no connection between the two groups and the common ground may be accounted for by the use of the same exploit broker.

ESET says that until moving to exploiting the IE vulnerability, the group relied on “the same basic malware architecture.” This switch shows technical evolution and may foretell increased activity from this actor.

On its GitHub page, ESET published a comprehensive list of indicators of compromise (IoCs) that includes hashes for known XDSpy components, details about their network infrastructure, and the activity on the infected system.

Also Read: How Bank Disclosure Of Customer Information Work For Security

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us