XDSpy - Another Stealthy Cyberespionage Operation Uncovered

Threat actors carry out cyberespionage operations stealthily, staying away from security radars, and thus, dodging any public attention. A new espionage group was discovered recently, raising some concerns about how effective the current security systems are in detecting such hidden threats.

What has been discovered?

ESET researchers have discovered a threat actor that has been operating for almost nine years, without providing any clues of its widespread espionage activities.
  • Named XDSpy, the new APT has been active since at least 2011, targeting Eastern Europe and Balkans, including Belarus, Moldova, Russia, Serbia, and Ukraine.
  • Although it is mostly interested in government agencies, including military agencies and Ministries of Foreign Affairs, it has been witnessed targeting private companies as well.

Known TTPs

XDSpy is known to use a specific set of tools and tactics for its espionage campaigns.
  • It uses spearphishing as the main attack vector to send emails with malicious files in attachment or links.
  • The main payload is XDDown, which is used to establish persistence. It allows the attacker to download additional plugins from the command and control server, which includes XDRecon, XDUpload, XDLoc, XDPass, XDList (information/data stealers), and XDMonitor for monitoring removable drives.
  • The group exploits the Internet Explorer vulnerability (CVE-2020-0968) to make its way inside networks.

Recent incidents

In the recent few months, several threats have been identified who were working in stealth mode for a long time before getting caught.
  • In September, Check Point researchers uncovered the Iranian espionage group Rampant Kitten, which was targeting dissidents and members of the global Iranian diaspora, working undetected for almost six years.
  • In August, Group-IB published a report about stealthy RedCurl hackers that managed to stay under the radar for several years by using custom tools and red team-like espionage techniques.

Closing notes

Disclosure of such hidden operations running for a long time is an indication that threat actors are adopting and probably mastering stealth capabilities to dodge traditional security systems. It is highly likely that there are several other yet-to-be-discovered threat actors. Thus, experts recommend a continuous and proactive upgrade of security infrastructure to withstand such threats.