ESET discovers a rare APT that stayed undetected for nine years

Active since 2011 but only discovered this year, the XDSpy hacker group targeted government and private companies in Belarus, Moldova, Russia, Serbia, and Ukraine.
Written by Catalin Cimpanu, Contributor
Image: ESET, ZDNet

Slovak cyber-security firm ESET has discovered a new state-sponsored hacking group (also known as an APT). Named XDSpy, the group is a rarity in the cyber-security landscape as it managed to remain undetected for nearly nine years before its hacking spree was discovered earlier this year.

The group's operations have been detailed for the first time today by ESET researchers in a talk at the Virus Bulletin 2020 security conference.

ESET says the group's primary focus has been reconnaissance and document theft. Its targets have been government agencies and private companies in Eastern Europe and the Balkans.

Targeted countries included Belarus, Moldova, Russia, Serbia, and Ukraine, according to ESET telemetry data, but other XDSpy operations may still be undiscovered.

ESET says the group's operations have now gone dark after one of its campaigns was detected and detailed in a security alert sent out by the CERT Belarus team.

Using this security alert as an initial clue, ESET says it was able to uncover past XDSpy operations. Matthieu Faou and Francis Labelle, the two ESET security researchers who spearheaded the investigation into XDSpy, said the group's primary tool has been a malware toolkit they named XDDown.

The malware, described to ZDNet by Faou as "not state-of-the-art" was, however, more than enough to infect victims and help the group gather sensitive data from infected targets.

ESET described XDDown as a "downloader" used to infect a victim and then download secondary modules that would perform various specialized tasks.

This prevented security tools from detecting XDDown as malicious itself, but also allowed the malware to posses some very advanced features. XDDown modules include:

  • XDREcon - a module to scan an infected host, gather technical specs and OS details, and send the data back to the XDDown/XDSpy command-and-control server.
  • XDList - a module to search an infected computer for files with specific file extensions (Office-related files, PDFs, and address books).
  • XDMonitor - a module that monitored what kind of devices were connected to an infected host.
  • XDUpload - the module that took files indentified by XDList and uploaded them on the XDXpy server.
  • XDLoc - a module to gather information about nearby WiFi networks, information that is believed to have been used to track victim movements using maps of public WiFi networks.
  • XDPass - a module that extracted passwords from locally installed browsers.
Image: ESET

As for how victims got infected, XDSpy wasn't particularly original about its operations, using the tried-and-tested technique of spear-phishing email campaigns.

In campaigns analyzed by ESET, the group used email subject lines with lures related to lost and found objects and the COVID-19 pandemic. These emails came with malicious attachments such as Powerpoint, JavaScript, ZIP, or shortcut (LNK) files. Downloading and running any of these files would usually infect the victim with malware.

Based on the malware's features, its limited distribution, and targeting of government agencies, including militaries and Ministries of Foreign Affairs, ESET said the XDSpy group was an obvious APT —advanced persistent threat— a term used by the cyber-security industry to describe hacker groups carrying out operations on behalf of foreign governments, usually for espionage and intelligence gathering.

But which government, ESET did not say. The targeted countries are usually in the focus area of both Russian and NATO countries. However, ESET also noted that many XDSpy malware samples were compiled on Eastern European timezones.

There are certain details in the group's malware to support its classification as an APT. This includes the fact that many of the plugins didn't contain a persistence mechanism, meaning the main XDDown malware would have had to re-download each modules after computer reboots.

Furthermore, ESET said it also discovered that some XDDown plugins also came with time-based killswitches that removed them after a certain date.

These two features suggest XDSpy prioritized stealth over persistence in an effort to remain undetected and avoid exposing its tools, a common tactic and modus operandi employed by many state-sponsored groups.

"Thus, they were able to use the same code base for 9 years while being able to evade some security products by tweaking the obfuscation," Faou told ZDNet in an email this week.

The world's most famous and dangerous APT (state-developed) malware

Editorial standards