The researchers of the international company cyber securityESET has identified a new APT (advanced persistent threat) group that is stealing sensitive documents from governments in Eastern Europe and region of the Balkans since 2011. The XDSpy group, as ESET named it, managed to remain undetected for nine years, which is quite rare. Members of the group have compromised many government agencies and private companies.
"The team has not received much attention so far, with the exception of a piece of advice issued by Belarussian CERT in February 2020," said Mathieu Faou, an ESET researcher who analyzed the malware.
The XDSpy team uses spear-phishing as a method to attack its targets. Some of the emails it sends contain an attachment, while others contain a link that leads to a malicious file. The first level of the malicious file or attachment is a ZIP or RAR file.
In late June 2020, cybercriminals stepped up their efforts using CVE-2020-0968, a vulnerability in Internet Explorer η οποία επιδιορθώθηκε τον Απρίλιο του 2020. «Μέσα στο 2020, η ομάδα εκμεταλλεύθηκε την πανδημία COVID-19 τουλάχιστον δύο φορές για να εξαπολύσει attacks, including one case just a month ago," adds Faou.
“Since we did not detect any similarities code with other malware families and we observed no overlap in network infrastructure, we conclude that XDSpy is a previously undocumented group,” Faou concludes.
The targets of the XDSpy team are located in Eastern Europe and the Balkans. These are mainly government agencies, such as the Armed Forces, Foreign Ministries and private companies.
For more technical details about spyware, visit the relevant “blogpost ”At WeLiveSecurity.