Skip to content

ESET researchers discover XDSpy, an APT group stealing government secrets in Europe since 2011

The previously undocumented group leverages COVID-19-themed spear phishing

BRATISLAVA, MONTREAL – ESET researchers uncovered a new APT group that has been stealing sensitive documents from several governments in Eastern Europe and the Balkans since 2011. Named XDSpy by ESET, the APT group has gone largely undetected for nine years, which is rare. The espionage group has compromised many government agencies and private companies. The findings were presented today at the VB2020 localhost conference.

“The group has attracted very little public attention so far, with the exception of an advisory from the Belarusian CERT in February 2020,” says Mathieu Faou, ESET researcher who analyzed the malware.

XDSpy operators use spear phishing emails in order to compromise their targets. The emails display a slight variance, as some contain an attachment, while others contain a link to a malicious file. The first layer of the malicious file or attachment is generally a ZIP or RAR archive. At the end of June 2020, the operators stepped up their game by using a vulnerability in Internet Explorer, CVE-2020-0968, which had been patched in April 2020. “The group jumped on the COVID-19 bandwagon at least twice in 2020, including an instance only a month ago, in their ongoing spear phishing campaigns,” adds Faou.

“Since we did not find any code similarities with other malware families, and we did not observe any overlap in the network infrastructure, we conclude that XDSpy is a previously undocumented group,” concludes Faou.

Targets of the XDSpy group are located in Eastern Europe and the Balkans; they are primarily government entities, including militaries, Ministries of Foreign Affairs and private companies.


Location of known XDSpy group victims according to ESET telemetry


For more technical details about this spyware, read the blog post, “XDSpy: stealing government secrets since 2011” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

×

Hello!

Click one of our representatives below to chat on WhatsApp or send us an email to wordpress@version-2.com.hk

×