🇷🇺

XDSpy

APT Group Information theft and espionage ETDA ✓

Also Known As

No alias recorded

Target Countries 5

Countries highlighted in red

Belgium Belarus Republic of Moldova Serbia Ukraine

Sectors Targeted

National Security and International Affairs 9281 Government

Details

Origin 🇷🇺 RU

Last Updated 01 Jun 2022

MITRE ATT&CK 37

T1005 - Data from Local System T1020 - Automated Exfiltration T1025 - Data from Removable Media T1027 - Obfuscated Files or Information T1033 - System Owner/User Discovery T1036.004 - Masquerade Task or Service T1041 - Exfiltration Over C2 Channel T1047 - Windows Management Instrumentation T1059 - Command and Scripting Interpreter T1059.003 - Windows Command Shell T1070 - Indicator Removal on Host T1070.004 - File Deletion T1071 - Application Layer Protocol T1071.001 - Web Protocols T1082 - System Information Discovery T1083 - File and Directory Discovery T1102 - Web Service T1105 - Ingress Tool Transfer T1113 - Screen Capture T1115 - Clipboard Data T1119 - Automated Collection T1124 - System Time Discovery T1127 - Trusted Developer Utilities Proxy Execution T1132.001 - Standard Encoding T1140 - Deobfuscate/Decode Files or Information T1203 - Exploitation for Client Execution T1204 - User Execution T1218.011 - Rundll32 T1547 - Boot or Logon Autostart Execution T1547.001 - Registry Run Keys / Startup Folder T1552 - Unsecured Credentials T1553.002 - Code Signing T1560 - Archive Collected Data T1566 - Phishing T1569 - System Services T1573 - Encrypted Channel T1574 - Hijack Execution Flow

Related Zero-Days

No zero-day CVE linked to this actor

Known Names 1 entries

XDSpy ESET

Observed Target Countries 5

Based on ETDA data — countries highlighted in red

Belarus Moldova Russia Serbia Ukraine

Description

(ESET) Rare is the APT group that goes largely undetected for nine years, but XDSpy is just that; a previously undocumented espionage group that has been active since 2011. It has attracted very little public attention, with the exception of an advisory from the Belarusian CERT in February 2020. In the interim, the group compromised many government agencies and private companies in Eastern Europe and the Balkans. In this paper, we present our analysis of this nine-year-long espionage campaign, active since 2011, but which apparently went dark in February 2020. With its primary purpose seemingly being cyber espionage, this group stole documents and other sensitive files, such as victims’ mailboxes. These outcomes were achieved through the use of the XDSpy malware ecosystem, composed of at least seven components: XDDown, XDRecon, XDList, XDMonitor, XDUpload, XDLoc and XDPass. As our research has not uncovered links with any previously known APT groups, we have attributed this malware toolset to a previously unknown group.

Tools Used 14

ChromePass IE PassView MailPassView Network Password Recovery OperaPassView PasswordFox Protected Storage PassView XDDown XDList XDLoc XDMonitor XDPass XDRecon XDUpload

Operations 1

2024-07 Russia, Moldova targeted by obscure hacking group in new cyberespionage campaign https://therecord.media/russia-moldova-cyberespionage-campaign

Reports & References 3

https://vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/ https://therecord.media/xdspy-hackers-target-russian-military-industrial-companies

ETDA Profile

XDSpy

Origin

[Unknown]

First Seen 2011

Motivation

Information theft and espionage

View on ETDA APT Groups ↗