Previously unknown XDSpy hacker group has been stealing sensitive government data since 2011

It uses quite basic tools, but they are efficient enough to compromise the targets

Researchers from cyber security firm ESET have uncovered a hacking group that has been active since 2011 and is stealing sensitive documents from government and private entities in the Eastern Europe and the Balkans.

Dubbed XDSpy, this group appears to be a state-sponsored APT group, the researchers said. Its activities were first revealed in February 2020 when the Belarusian computer emergency response team warned government agencies in the country about a threat group that was attempting to target Belarusian ministries in order to steal secret documents.

The ESET researchers say that XDSpy activities were not limited to just attacking Belarusian ministries. Its target list also included military, diplomatic and corporate entities in Ukraine, Russia, Serbia, Moldova and others.

According to researchers, XDSpy appears to be a previously unknown group - its malware's code shows little similarity with other known malware families. Moreover, XDSpy's targets are somewhat uncommon, and that group has been using a network infrastructure that does not overlap with other groups' infrastructure.

XDSpy uses quite basic tools, although they are efficient at infecting the targets, ESET said.

"The malware samples are slightly obfuscated using string obfuscation and dynamic Windows API library loading. Their main functions include the monitoring of removable drives, taking screenshots and exfiltrating documents," the researcher noted.

XDSpy operators work only five days in a week - Monday to Friday - in time zones that match those of their targets.

To target a potential victim, hackers send spear-phishing emails containing malicious attachments, such as RAR, ZIP, Powerpoint, or shortcut LNK files. Some emails also contain a link to a malicious file.

Running any of these files downloads an additional script on the machine, which would further install the main malware component XDDown. The malware then downloads other secondary modules (XDREcon, XDList, XDMonitor, XDUpload, XDLoc, and XDPass) to perform a variety of specialised tasks.

ESET said it also found some modules coming with time-based killswitches to ensure that they are removed from the infected machine after a specific date.

In June 2020, the researchers observed XDSpy operators using the CVE-2020-0968 vulnerability in Internet Explorer to target victims. This security bug was patched by Microsoft in April 2020, and there was very little data available in public domain on the exploit at the time, suggesting that XDSpy operators either developed the exploit on their own or purchased it from an unnamed broker.

The exploit code bears some similarities to one used by DarkHotel, a threat group that is thought to be sponsored by the South Korean government and has previously targeted North Korean government agencies.