The hacker group XDSpy stole government secrets in Europe for years. The previously unnoticed group often used spear phishing related to COVID-19 for their cyber espionage.
ESET researchers unmasked a cyber spy ring that was previously able to operate unnoticed. According to the European security manufacturer, the APT group has been active since 2011 and has specialized in the theft of sensitive government documents in Eastern Europe and the Balkans. The targets are primarily government agencies, including military facilities and foreign ministries, as well as a few companies. The hacking gang known by ESET as XDSpy has gone largely undetected for nine years, which is rare.
Neglected security updates invite attackers
“The XDSpy campaign is exemplary of the current state of cybersecurity. Unsuccessful security updates, outdated software and hardware, lack of monitoring - all of this not only invites spies, but also other cyber gangsters. However, it would be a fallacy to believe that only Eastern European authorities and institutions can easily fall victim ”, says Thomas Uhlemann, Security Specialist at ESET Germany. “There are still far too many IT incidents in German-speaking countries. These could be avoided if the simplest basic IT security rules such as malware protection, constant updates of hardware and software, appropriate budgets, modern access authorizations, encryption and know-how had been in place. "
Successful spear phishing attacks
XDSpy operators have long used spear phishing emails to compromise their targets. The emails have variations: some contain an attachment while others contain a link to a malicious file. These are usually ZIP or RAR archives. When the victim double-clicks it, the unzipped LNK file "XDDown" - the main component of the malware - downloads and installs it.
XDSpy exploits Microsoft's vulnerability
At the end of June 2020, the attackers intensified their attacks by exploiting a vulnerability in Internet Explorer, CVE-2020-0968. This was patched by Microsoft in April 2020, but obviously the update was not installed everywhere. Instead of an archive with an LNK file, the Command & Control server delivered an RTF file. As soon as it was open, it downloaded an HTML file and took advantage of the vulnerability.
CVE-2020-0968 is part of a number of similar vulnerabilities. For example, one of these can be found in Internet Explorer's old JavaScript engine, which was disclosed in the last two years. At the time this vulnerability was exploited by XDSpy, there was no proof of concept and very little information about this particular vulnerability was available online. Presumably, the hacker group either bought this exploit from a broker or developed a 1-day exploit themselves.
Free riders: Victims trapped with Covid-19 issues
The hacker group has jumped on the Covid-2020 bandwagon at least twice in 19. "The latest case was discovered a few weeks ago as part of their ongoing spear phishing campaigns," adds ESET Researcher Matthieu Faou. "Since we found no code similarities with other malware families and observed no overlaps in the network infrastructure, we assume that XDSpy is a previously undocumented group," Faou concludes.
More on this at WeLiveSecurity at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.