ESET, a Slovakia-based cybersecurity firm, recently discovered XDSpy, a government-funded hacking group. The group was very low-key and secretive, and it didn’t show up until the hacking wave earlier this year, after more than nine years of secret operations.
In a presentation at the Virus Bulletin 2020 Security Conference, ESET researchers gave the first detailed account of how the group works. ESET said the group’s main focus was on reconnaissance and document theft. It targets government agencies and private companies in Eastern Europe and the Balkans. Target countries include Belarus, Moldova, Russia, Serbia and Ukraine, but other XDSpy operations may not have been discovered, according to ESET telemetry.
ESET stated that the organization quickly cancelled the operation of one of the activities after one of the activities was detected and described in detail in a security alert issued by the CERT Belarus team. ESET indicates that using this security alert as a preliminary clue, it can detect past XDSpy operations. Matthieu Faou and Francis Labelle, two ESET security researchers responsible for investigating XDSpy, say the organization’s main tool is a malware toolbox called XDDown.
Faou says the malware toolbox is not state-of-the-art, but it’s enough to infect victims and help the organization collect sensitive data from infected targets. ESET describes XDDown as a “downloader” that infects victims and then downloads auxiliary modules that perform various specialized tasks.
This prevents the security tool from detecting XDDown itself as malware, but also allows the malware to have some very advanced features. The XDDown modules include:
XDREcon – A module for scanning infected hosts, collecting technical specifications and operating system details, and sending data back to the XDDown/XDSpy command and control server.
XDList – A module for searching infected computers for files with specific file extensions (Office-related files, PDFs, and address books).
XDMonitor – A module that monitors which device is connected to an infected host.
XDUpload – A module that receives files identified by XDList and uploads them to the XDXpy server.
XDLoc – A module that collects information about a nearby WiFi network that is believed to have been used to track the activities of victims using maps from public WiFi networks.
XDPass – A module that extracts passwords from a locally installed browser.