XDSpy: stealing government secrets since 2011

Matthieu Faou (ESET) & Francis Labelle (ESET)
live only
18:15 UTC on Day 3
FRIDAY 02 OCTOBER
Early in 2020, ESET researchers discovered a previously undisclosed cyber espionage operation targeting several governments in Eastern Europe, the Balkans and Russia. Unusually, our research shows that this campaign has been active since at least 2011 with next to no changes in TTPs. It is very uncommon to find a cyber espionage operation without any public reporting after almost 10 years of activity.

A February 2020 Belarussian CERT advisory disclosed a spear-phishing campaign targeting several Belarussian ministries and agencies. Our research links this to XDSpy. The goal of that operation appears to be collecting documents from government staff such as diplomats or military personnel. Among the targets we also found a few private companies and academic institutions, suggesting that this actor is also responsible for economic espionage operations.

XDSpy tools are quite basic, although efficient. The malware samples are slightly obfuscated using string obfuscation and dynamic Windows API library loading. Their main functions include the monitoring of removable drives, taking screenshots and exfiltrating documents. In addition, we found a custom module collecting nearby Wi-Fi access point identifiers, probably with the objective of locating the compromised machines. They also use NirSoft utilities in order to recover passwords from web browsers and email clients. In some specific cases, we were able to retrieve lists of the paths to the stolen files. This allowed us to better understand the objective of this campaign.

This paper presents the full chain of XDSpy’s operations, from the phishing email to the spyware. We will also compare XDSpy’s TTPs with the ones of known APT groups operating in the same region in order to show that this campaign seems quite unique. Finally, we will provide the readers more high-level information about the campaign by going through some of the documents and targets of interest to the group.
Matthieu Faou
ESET Matthieu Faou is a malware researcher at ESET where he specializes in researching targeted attacks. His main duties include threat hunting and reverse engineering of APTs. He finished his Master’s degree in computer science at École Polytechnique de Montréal and at École des Mines de Nancy in 2016. In the past, he has spoken at multiple conferences including BlueHat, RECON, CYBERWARCON, Virus Bulletin and Botconf.
Francis Labelle
ESET A student at the École de Technologie Supérieure (E. T. S.), Francis has discovered an interest for information security at the start of his undergraduate studies. He has worked as an intern for ESET, GoSecure and Desjardins' ETTIC team. He has also given workshops for Montrehack and DCIÉTS, and has been a finalist in popular CTF events like Hack in Paris, CSAW and DefCamp.
arrow left Back

XDSpy: stealing government secrets since 2011

18:15 - 18:45 UTC Fri 2 Oct 2020
Matthieu Faou (ESET) & Francis Labelle (ESET)
Early in 2020, ESET researchers discovered a previously undisclosed cyber espionage operation targeting several governments in Eastern Europe, the Balkans and Russia. Unusually, our research shows that this campaign has been active since at least 2011 with next to no changes in TTPs. It is very uncommon to find a cyber espionage operation without any public reporting after almost 10 years of activity.

A February 2020 Belarussian CERT advisory disclosed a spear-phishing campaign targeting several Belarussian ministries and agencies. Our research links this to XDSpy. The goal of that operation appears to be collecting documents from government staff such as diplomats or military personnel. Among the targets we also found a few private companies and academic institutions, suggesting that this actor is also responsible for economic espionage operations.

XDSpy tools are quite basic, although efficient. The malware samples are slightly obfuscated using string obfuscation and dynamic Windows API library loading. Their main functions include the monitoring of removable drives, taking screenshots and exfiltrating documents. In addition, we found a custom module collecting nearby Wi-Fi access point identifiers, probably with the objective of locating the compromised machines. They also use NirSoft utilities in order to recover passwords from web browsers and email clients. In some specific cases, we were able to retrieve lists of the paths to the stolen files. This allowed us to better understand the objective of this campaign.

This paper presents the full chain of XDSpy’s operations, from the phishing email to the spyware. We will also compare XDSpy’s TTPs with the ones of known APT groups operating in the same region in order to show that this campaign seems quite unique. Finally, we will provide the readers more high-level information about the campaign by going through some of the documents and targets of interest to the group.
Matthieu Faou
ESET Matthieu Faou is a malware researcher at ESET where he specializes in researching targeted attacks. His main duties include threat hunting and reverse engineering of APTs. He finished his Master’s degree in computer science at École Polytechnique de Montréal and at École des Mines de Nancy in 2016. In the past, he has spoken at multiple conferences including BlueHat, RECON, CYBERWARCON, Virus Bulletin and Botconf.
Francis Labelle
ESET A student at the École de Technologie Supérieure (E. T. S.), Francis has discovered an interest for information security at the start of his undergraduate studies. He has worked as an intern for ESET, GoSecure and Desjardins' ETTIC team. He has also given workshops for Montrehack and DCIÉTS, and has been a finalist in popular CTF events like Hack in Paris, CSAW and DefCamp.