XDSpy: The Silent Predator Targeting Russia and Moldova

In a fresh wave of cyber espionage, companies in Russia and Moldova have found themselves in the crosshairs of a phishing campaign orchestrated by the obscure threat group XDSpy.

The cybersecurity firm F.A.C.C.T. has revealed that the recent spate of infections has culminated in the deployment of a malware strain known as DSDownloader. These activities were notably observed this month.

XDSpy, an elusive cyber adversary, first came under the spotlight thanks to the Belarusian Computer Emergency Response Team, CERT.BY, in February 2020. Further analysis by cybersecurity giant ESET has linked the group to a string of information-stealing campaigns targeting government entities across Eastern Europe and the Balkans since 2011.

The attack methodology employed by XDSpy involves spear-phishing emails designed to breach defenses and deploy their primary malware module, XDDown. This malware then introduces a series of additional plugins to gather system data, enumerate the C: drive, monitor external drives, exfiltrate local files, and harvest passwords. In the past year, XDSpy has zeroed in on Russian organizations using a C#-based dropper named UTask. This dropper downloads a core module, an executable capable of fetching further payloads from a command-and-control (C2) server.

The most recent attacks feature phishing emails with enticing agreement-related lures, which distribute a RAR archive file. This archive contains a legitimate executable paired with a malicious DLL file. Through DLL side-loading techniques, the DLL is executed, leading to the download and execution of DSDownloader. Meanwhile, a decoy file distracts the victim while the next-stage malware is silently downloaded from a remote server. At the time of F.A.C.C.T.'s analysis, the payload was no longer accessible for download.

The onset of the Russo-Ukrainian war in 2022 has marked a dramatic increase in cyber attacks from both sides. Russian companies have been targeted by malware such as DarkWatchman RAT and by various threat clusters, including Core Werewolf, Hellhounds, PhantomCore, Rare Wolf, ReaverBits, and Sticky Werewolf. Additionally, pro-Ukrainian hacktivist groups like Cyber.Anarchy.Squad have launched hack-and-leak operations and disruptive attacks against Russian entities such as Infotel and Avanpost.

Simultaneously, the Computer Emergency Response Team of Ukraine (CERT-UA) has issued warnings about a surge in phishing attacks by a Belarusian threat actor identified as UAC-0057 (also known as GhostWriter and UNC1151). This group distributes a malware family named PicassoLoader, which aims to deploy a Cobalt Strike Beacon on compromised hosts.

Adding to the cyber turmoil, the Russia-linked Turla group has been discovered leveraging a malicious Windows shortcut (LNK) file to deliver a fileless backdoor. This backdoor executes PowerShell scripts from a legitimate-but-compromised server and disables security features. "It also employs memory patching, bypasses AMSI, and disables the system's event logging features to enhance its evasion capabilities," G DATA researchers noted. "The group utilizes Microsoft's msbuild.exe to bypass Application Whitelisting (AWL) and avoid detection."

The digital battlefield continues to evolve, with threat actors innovating and adapting to outmaneuver defenses and exploit vulnerabilities, leaving organizations in a perpetual state of vigilance.