The Slovak security company ESET has discovered a new hacking group funded by a state (these groups are also known as APT). Named XDSpy, the team managed to go unnoticed for almost nine years before its action was discovered.
The team's work was first presented today by ESET researchers in a speech at the Virus Bulletin 2020 security conference.
ESET stated that the group's main interest was document identification and theft. Its targets were government bodies and private ones Companies in Eastern Europe and the Balkans.
The target countries were Belarus, Moldova, Russia, Serbia and Ukraine, according to ESET telemetry data, but there are other XDSpy functions that have not been discovered.
ESET reports that the group's activities have ceased after tracking its activities and a detailed safety report sent in the CERT Belarus team.
Using this security alert as an initial indication, ESET was able to reveal previous XDSpy features. Matthieu Faou and Francis Labelle, two ESET security researchers who led the XDSpy investigation, said the team's main tool was a malware toolkit called XDDown.
The malicious one software, το οποίο περιγράφεται από τον Faou σαν “όχι τελευταίας τεχνολογίας”, μπορούσε να μολύνει τα θύματά του και να βοηθήσει την ομάδα να συλλέξει ευαίσθητα data from infected targets.
ESET describes XDDown as a “program λήψηs” that was used to infect a victim and then download secondary tools that performed various specialized tasks.
Let's look at the tools that ESET has discovered
XDREcon - tool for scanning an infected server, collecting technical specifications and operating system details and sending the data back to the XDDown / XDSpy command and control server.
XDList - tool for searching files with specific file extensions (files related to Office, PDF and address books).
XDMonitor - a tool that tracks the type of devices connected to an infected host.
XDUpload - tool that uploads stolen files to XDXpy server.
XDLoc - a tool for gathering information from nearby WiFi networks, information believed to have been used to track victims' movements using public WiFi network maps.
XDPass - a tool that extracted passwords from locally installed browsers.