ESET finds hacking group XDSpy that was undetected for a decade

ESET finds hacking group XDSpy that was undetected for a decade

A rare APT has gone undetected for nine years, since 2011. The APT is a hacker group named XDSpy, and it targeted both privately-held and government-run companies based in Belarus, Russia, Serbia, Moldova, and Ukraine. 

The Slovakian cyber-security firm ESET discovered the new state-sponsored hacking group, which has remained undetected while still operating for almost a decade now.

Their hacking spree was discovered at the beginning of this year. ESET revealed details about this group in a talk they gave at the Virus Bulletin 2020 security conference. The group has mainly been doing reconnaissance and stealing documents.

Undercover operations

The targets were identified as government agencies and private companies in Eastern Europe and the Balkans. The countries aforementioned were the most affected, but the damage and extent of the XDSpy group may have gone further than initially thought. 

ESET says that XDSpy went dark when one of their campaigns was detected and a security alert was sent out by the CERT Belarus team, with details for what to pay attention to.

The security alert’s details are what enabled ESET to discover past XDSpy operations. Matthieu Faou and Francis Labelle spearheaded the research by ESET. 

Not the worst malware but not a joke either

The primary tool used by the group is a malware kit that they named XDDown. It was not precisely ‘state-of-the-art’ like the Emotet botnet, but it was good enough to infect targets and allow the group to gather sensitive information without detection. 

The XDDown is a downloader that infects a computer and allows the malware to perform some particular tasks. 

It would download secondary modules, which is why it was not detected as malware. It had some advanced features too that were detailed by researchers. As for the infection method, they used spear-phishing.

Tip: Cybercrime becomes more sophisticated: ‘we can’t continue like this.’