Researchers at ESET have detailed a cyber espionage campaign conducted by a previously undocumented APT group that had been targeting government entities and private companies in Eastern Europe and the Balkanas since at least 2011. The interesting fact about this campaign is that the hacker group, dubbed XDSpy, has largely remained undetected for more than nine years, which is a rare occurrence in the world of cyber security.

The XDSpy mainly targets government agencies such as militaries and Ministries of Foreign Affairs, as well as private companies located in East Europe and the Balkanas, including Belarus, Russia, Serbia, Moldova, and Ukraine. It appears that the primary goal of the group is to steal sensitive documents from the victims.

The researchers have not been able to attribute the group to any country. They also have not found any overlaps with known APT groups.

The XDSpy hackers compromise their targets using spear phishing emails containing malicious attachments or links to malicious files. Once the victim clicked on the link in the email, the XDDown dropper is installed on the device, which would download additional malware components, including:

• XDRecon: Gathers basic information about the victim machine (the computer name, the current username and the Volume Serial Number of the main drive).

• XDList: Crawls the C: drive for interesting files (.accdb, .doc, .docm, .docx, .mdb, .xls, .xlm, .xlsx, .xlsm, .odt, .ost, .ppt, .pptm, .ppsm, .pptx, .sldm, .pst, .msg, .pdf, .eml, .wab) and exfiltrates the paths of these files. It can also take screenshots.

• XDMonitor: Similar to XDList. It also monitors removable drives to exfiltrate the files matching an interesting extension.

• XDUpload: Exfiltrates a hardcoded list of files from the filesystem to the C&C server. The paths were sent to the C&C servers by XDList and XDMonitor.

The group has also been making use of the CVE-2020-0968 vulnerability in Internet Explorer, which had been fixed in April 2020.

“CVE-2020-0968 is part of a set of similar vulnerabilities in the IE legacy JavaScript engine disclosed in the last two years. At the time it was exploited by XDSpy, no proof-of-concept and very little information about this specific vulnerability was available online. We think that XDSpy either bought this exploit from a broker or developed a 1-day exploit themselves by looking at previous exploits for inspiration,” the researchers noted.

ESET says that the exploit used in the XDSpy’s attacks has some similarities with exploits previously used in the DarkHotel and Operation Domino campaigns. However, given that XDSpy does not appear to be linked to DarkHotel attacks and is quite different from Operation Domino, the researchers believe that the three groups share the same exploit broker.

“XDSpy is a cyberespionage group mostly undetected for more than nine years while being very busy over the past few months. It is mostly interested in stealing documents from government entities in Eastern Europe and the Balkans. This targeting is quite unusual and makes it an interesting group to follow. The group’s technical proficiency tends to vary a bit. It has used the same basic malware architecture for nine years, but it also recently exploited a vulnerability patched by the vendor but for which no public proof-of-concept exists, a so-called 1-day exploit,” the security firm concluded.