XDDown

XDDown is the name given to the main malware tool deployed in threatening campaigns by XDSpy, a hacker group that is classified as an Advanced Persistent Threat (ATP) and is possibly state-sponsored. The hackers have so far focused their criminal activities in the region of Eastern Europe and the Balkans. Affected entities have been detected in Belarus, Russia, Moldova, Serbia and Ukraine. 

The attack vector used for the distribution of XDDown, and in fact, the only attack method that has been attributed to XDSpy is spear-phishing. The emails' text is updated regularly and takes advantage of current events such as the COVID-19 pandemic. The poisoned attachments also have undergone a rapid change. XDSpy has used ZIP and RAR archives to carry a threatening PowerPoint or LNK file. In some, cases the emails had no attached files but contained a direct download link.

If the unsuspecting user executes the file in the archive, it initiates a corrupted script. So far, two distinct scripts have been observed, but their end-goal is one and the same - to drop XDDown on the compromised machine to a hardcoded location at %APPDATA%\WINinit\WINlogon.exe.

XDDown is a Simple Yet Effective Downloader

XDDown may be the main malware tool in XDSpy's arsenal, but, by itself, the threat represents a rather basic downloader. Its sole purpose is to be responsible for the delivery of six other XDSpy's malware modules and it doesn't have any other functionality. Persistence is achieved by exploiting a Windows registry Run key through the command HKCU\Software\Microsoft\Windows\CurrentVersion\Run\. Two versions of XDDown have been observed to be active in the wild - a 32-bit and a 64-bit versions.

To deliver the rest of the corrupted modules, XDDown establishes a connection with the Command-and-Control infrastructure by making regular GET requests. For the download of all six of the modules, three separate GET requests are required. The modules have no persistence and need to be redownloaded every time the compromised user logs in. The names assigned to them by researchers are XDRecon, XDList, XDMonitor, XDUpload, XDLoc and XDPass, and they are all in the form of Windows DLL files.

While most modern APT hacker groups are going in the way of more complex malware frameworks that include numerous backdoor commands, XDSpy is still relying on relatively unsophisticated tools.