XDSpy

The activities of a checker group that has eluded the infosec community's attention since at least 2011 have been brought to light finally. The researchers called the criminal collective XDSpy, and they believe that it is a state-sponsored APT (Advanced Persistent Threat). The main theater of operations for XDSpy is Eastern Europe and the Balkans, with its targets ranging from private entities to government organizations.

The first time the group's operations were detected conclusively was when the Belarusian computer emergency response team released a warning that the then-unnamed hacker collective was attempting to collect data from ministries in the country. Besides Belarus, XDSpy has targeted entities located in Russia, Moldova, Ukraine, and Serbia, among others. The victims show a considerable number of different types, ranging from corporations to military and diplomatic entities. Security researchers noticed that the hackers operated on a five-day work way and synchronized their operations to the victims' local time-zone.

XDSpy Rely on Basic Yet Effective Malware Tools

The toolkit employed by XDSpy shows little in terms of sophisticated functionality, but that in no way means that it is not effective. The preferred attack vector of the group is spear-phishing, with emails carrying poisoned attachments. Usually, those are archives such as RAR or ZIP files, but they also could be Powerpoint or LNK files. Some emails included a link to the file carrying the malware threat. The attack itself was divided into multiple stages. Running the corrupted file from the email executes a script tasked with the download of the main payload called XDDown. Once it is installed successfully, XDDown can drop additional malware modules in accordance with the specific goals of the hackers. The names given to the secondary payloads are XDREcon, XDList, XDMonitor, XDUpload, XDLoc and XDPass.

As a whole, the tools used by XDSpy included anti-analysis techniques such as string obfuscation and dynamic Windows API library loading. Their main activities on the compromised system were to monitor removable drives, screenshot and data exfiltration.