ESET researchers uncover a new APT group that has been stealing sensitive documents from several governments in Eastern Europe and the Balkans since 2011
Rare is the APT group that goes largely undetected for nine years, but XDSpy is just that; a previously undocumented espionage group that has been active since 2011. It has attracted very little public attention, with the exception of an advisory from the Belarusian CERT in February 2020. In the interim, the group has compromised many government agencies and private companies in Eastern Europe and the Balkans.
This blogpost is a summary, with updated information about the compromise vectors and Indicators of Compromise, of research that we’ve presented at the Virus Bulletin 2020 conference (see the full paper and the presentation).
Targets of the XDSpy group are located in Eastern Europe and the Balkans and are primarily government entities, including militaries and Ministries of Foreign Affairs, and private companies. Figure 1 shows the location of known victims according to ESET telemetry.
Figure 1. Map of XDSpy victims according to ESET telemetry (Belarus, Moldova, Russia, Serbia and Ukraine)
After careful research, we were not able to link XDSpy to any publicly known APT group:
Moreover, the group has been active for more than nine years. So, had such an overlap existed, we believe that it would have been noticed, and the group uncovered, a long time ago.
We believe that the developers might be working in the UTC+2 or UTC+3 time zone, which is also the time zone of most of the targets. We also noticed they were only working from Monday to Friday, suggesting a professional activity.
XDSpy operators mainly seem to use spearphishing emails in order to compromise their targets. In fact, this is the only compromise vector that we have observed. However, the emails tend to vary a bit: some contain an attachment while others contain a link to a malicious file. The first layer of the malicious file or attachment is generally a ZIP or RAR archive.
Figure 2 is an example of an XDSpy spearphishing email sent in February 2020.
Figure 2. Spearphishing email sent by XDSpy’s operators in February 2020
Roughly translated, the body of the email says:

Good afternoon!
I am sending you a copy of the letter and photo materials based on the results of the work. Click on the link to download: photo materials_11.02.2020.zip
We are waiting for an answer until the end of the working day.
The link points to a ZIP archive that contains an LNK file, without any decoy document. When the victim double-clicks on it, the LNK downloads an additional script that installs XDDown, the main malware component.
After our paper was submitted to Virus Bulletin, we continued to track the group and, after a pause between March and June 2020, they came back. At the end of June 2020, the operators stepped up their game by using a vulnerability in Internet Explorer, CVE-2020-0968, which had been patched in April 2020. Instead of delivering an archive with a LNK file, the C&C server was delivering an RTF file that, once opened, downloaded an HTML file exploiting the aforementioned vulnerability.
CVE-2020-0968 is part of a set of similar vulnerabilities in the IE legacy JavaScript engine disclosed in the last two years. At the time it was exploited by XDSpy, no proof-of-concept and very little information about this specific vulnerability was available online. We think that XDSpy either bought this exploit from a broker or developed a 1-day exploit themselves by looking at previous exploits for inspiration.
It is interesting to note that this exploit bears similarities with exploits previously used in DarkHotel campaigns, as shown in Figure 3. It is also almost identical to the exploit used in Operation Domino in September 2020, which was uploaded to VirusTotal from Belarus.
Given that we don’t believe XDSpy is linked to DarkHotel and that Operation Domino looks quite different from XDSpy, it is likely that the three groups share the same exploit broker.
Figure 3. Parts of the exploit code, including the beginning, are similar to that used in a DarkHotel campaign described by JPCERT
Finally, the group jumped on the COVID-19 wagon at least twice in 2020. It first used this theme in a spearphishing campaign against Belarusian institutions in February 2020. Then, in September 2020, they reused this theme against Russian-speaking targets. The archive contained a malicious Windows Script File (WSF) that downloads XDDown, as shown in Figure 4, and they used official website rospotrebnadzor.ru as a decoy, as shown in Figure 5.
Figure 4. Part of the script that downloads XDDown
Figure 5. Part of the script that opens the decoy URL
Figure 4 shows the malware architecture in a scenario where the compromise happens through a LNK file, as was the case in February 2020.
Figure 6. XDSpy’s malware architecture. XDLoc and XDPass are dropped in no particular order
XDDown is the main malware component and is strictly a downloader. It persists on the system using the traditional Run key. It downloads additional plugins from the hardcoded C&C server using the HTTP protocol. The HTTP replies contain PE binaries encrypted with a hardcoded two-byte XOR key.
During our research, we discovered the following plugins:
Figure 7. Loop uploading a hardcoded list of files to the C&C server (partially redacted)
More details about the various malware components can be found in the white paper.
XDSpy is a cyberespionage group mostly undetected for more than nine years while being very busy over the past few months. It is mostly interested in stealing documents from government entities in Eastern Europe and the Balkans. This targeting is quite unusual and makes it an interesting group to follow.
The group’s technical proficiency tends to vary a bit. It has used the same basic malware architecture for nine years, but it also recently exploited a vulnerability patched by the vendor but for which no public proof-of-concept exists, a so-called 1-day exploit.
For any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com.
Special thanks to Francis Labelle for his work on this investigation.
The comprehensive list of Indicators of Compromise (IoCs) and samples can be found in our GitHub repository.
%APPDATA%Temp.NETarchset.dat
%APPDATA%Temp.NEThdir.dat
%APPDATA%Temp.NETlist.dat
%TEMP%tmp%YEAR%%MONTH%%DAY%_%TICK_COUNT%.s
%TEMP%fl637136486220077590.data
wgl.dat
Windows Broker Manager.dat
%TEMP%Usermode COM Manager.dat
%TEMP%Usermode COM Manager.exe
%APPDATA%WINinitWINlogon.exe
%APPDATA%msprotectexpmswinexp.exe
%APPDATA%msvdemomsbrowsmc.exe
%APPDATA%Explorermsdmcm6.exe
%APPDATA%Explorerbrowsms.exe
downloadsprimary[.]com
filedownload[.]email
file-download[.]org
minisnowhair[.]com
download-365[.]com
365downloading.com
officeupdtcentr[.]com
dropsklad[.]com
getthatupdate[.]com
boborux[.]com
easytosay[.]org
daftsync[.]com
documentsklad[.]com
wildboarcontest[.]com
nomatterwhat[.]info
maiwegwurst[.]com
migration-info[.]com
jerseygameengine[.]com
seatwowave[.]com
cracratutu[.]com
chtcc[.]net
ferrariframework[.]com
62.213.213[.]170
93.63.198[.]40
95.215.60[.]53
forgeron[.]tk
jahre999[.]tk
omgtech.000space[.]com
podzim[.]tk
porfavor876[.]tk
replacerc.000space[.]com
settimana987[.]tk
Note: This table was built using version 7 of the MITRE ATT&CK framework.

source