Researchers at the international cybersecurity company ESET have identified a new APT (advanced persistent threat) team that has been stealing sensitive documents from governments in Eastern Europe and the Balkans since 2011. The XDSpy team, as ESET called it, went unnoticed for nine years, which is quite rare. Team members have put many government agencies and private companies at risk.
"The team has not received much attention so far, with the exception of a piece of advice issued by Belarussian CERT in February 2020," said Mathieu Faou, an ESET researcher who analyzed the malware.
The XDSpy team uses spear-phishing as a method to attack its targets. Some of the emails it sends contain an attachment, while others contain a link that leads to a malicious file. The first level of the malicious file or attachment is a ZIP or RAR file.
In late June 2020, cybercriminals stepped up their efforts using CVE-2020-0968, an Internet Explorer vulnerability that was fixed in April 2020. "In 2020, the team exploited the COVID-19 pandemic at least twice to launch attacks, including a case just a month ago, "Faou added.
"Since we did not detect any code similarities with other malware families and did not notice any overlap in the network infrastructure, we conclude that XDSpy is a group that has not been recorded before," concludes Faou.
The targets of the XDSpy team are located in Eastern Europe and the Balkans. These are mainly government agencies, such as the Armed Forces, Foreign Ministries and private companies.
For more technical details about spyware, visit the relevant “blogpost ”At WeLiveSecurity.