The researchers της διεθνούς εταιρίας κυβερνοbetter safetys ESET detected a new one team APT (advanced persistent threat) that has been stealing sensitive documents from governments in Eastern Europe and the Balkan region since 2011. The XDSpy group, as ESET named it, managed to remain undetected for nine years, which is quite rare. Members of the group have compromised many government agencies and private companies.
"The group had not attracted attention until now, with the exception of an advisory issued by the Belarusian CERT in February 2020," said Mathieu Faou, the ESET researcher who analyzed the malware.
The XDSpy team uses spear-phishing as a method to attack its targets. Some of the emails it sends contain an attachment, while others contain a link that leads to a malicious file. The first level of the malicious file or attachment is a ZIP or RAR file.
In late June 2020, cybercriminals stepped up their efforts using CVE-2020-0968, a vulnerability in Internet Explorer that was patched in April 2020. “During 2020, the team exploited the COVID-19 pandemic at least two times to launch attacks, including one just a month ago," Faou adds.
"Since we did not detect any code similarities with other malware families and did not notice any overlap in the network infrastructure, we conclude that XDSpy is a group that has not been recorded before," concludes Faou.
The targets of the XDSpy team are located in Eastern Europe and the Balkans. These are mainly government agencies, such as the Armed Forces, Foreign Ministries and private companies.
For more technical details about spyware, visit the relevant “blogpost ”At WeLiveSecurity.