The Slovak security company ESET has discovered a new hacking group funded by a state (these groups are also known as APT). Named XDSpy, the team managed to go unnoticed for almost nine years before its action was discovered.
The team's work was first presented today by ESET researchers in a speech at the Virus Bulletin 2020 security conference.
ESET said the team 's main interest was in identifying and stealing documents. It targeted government agencies and private companies in Eastern Europe and the Balkans.
The countries targeted included Belarus, Moldova, Russia, Serbia and Ukraine, according to data ESET telemetry, but there are other undiscovered features of XDSpy.
ESET reports that the group's activities have ceased after tracking its activities and a detailed safety report sent in the CERT Belarus team.
Using this notice security as an initial clue, ESET was able to uncover XDSpy's previous operations. Matthieu Faou and Francis Labelle, two ESET security researchers who led the investigation into XDSpy, said the group's main tool was a malware toolkit they called XDDown.
The malware, described by Faou as "not state-of-the-art", could infect its victims and help the team collect sensitive data from infected targets.
ESET describes XDDown as a "download program" used to infect a victim and then to download secondary tools that performed various specialized tasks.
Let's look at the tools that ESET has discovered
XDREcon – εργαλείο για σάρωση ενός μολυσμένου κεντρικού υπολογιστή, συλλογή τεχνικών προδιαγραφών και λεπτομερειών λειτουργικού συστήματος και Mission των δεδομένων πίσω στον διακομιστή orders and control of XDDown/XDSpy.
XDList - tool for searching files with specific file extensions (files related to Office, PDF and address books).
XDMonitor - a tool that tracks the type of devices connected to an infected host.
XDUpload - tool that uploads stolen files to XDXpy server.
XDLoc – tool to gather information from nearby WiFi networks, information believed to have been used to track victims' movements using maps of public WiFi networks.
XDPass - a tool that extracted passwords from locally installed browsers.