FireEye cybersecurity experts: The malware uses cookie headers to pass values to the C2 and can select referrers from a list of popular websites.
ESET: XDSpy is an APT that targets government entities in Eastern Europe and Balkans since 2011, but until now it is remained undetected
XDSpy is an APT that steals government secrets in Eastern Europe and the Balkans since 2011. It have been discovered by ESET cyber security experts. The group has attracted very little public attention, with the exception of an advisory from the Belarusian CERT in February 2020. The targets are primarily government entities, including militaries and Ministries of Foreign Affairs, and private companies. Cyber Espionage hackers mainly seem to use spearphishing emails in order to compromise their targets. However, the emails tend to vary a bit: some contain an attachment while others a link to a malicious file. It points to a ZIP archive that contains an LNK file, without any decoy document. When the victim double-clicks on it, the LNK downloads an additional script that installs XDDown, the main malware component (XDDown).
The cybersecurity experts: The cyber espionage group exploits the XDDown malware and spear phishing
According the cyber security experts, after a pause between March and June 2020, XDSpy operators stepped up their game by using a vulnerability in Internet Explorer, CVE-2020-0968, patched in April 2020. Instead of delivering an archive with a LNK file, the C&C server was delivering an RTF file that, once opened, downloaded an HTML file exploiting the flaw. Finally, the cyber espionage group jumped on the COVID-19 wagon at least twice in 2020. It first used this theme in a spear phishing campaign against Belarusian institutions in February 2020. Then, in September 2020, they reused this theme against Russian-speaking targets. The archive contained a malicious Windows Script File (WSF) that downloads XDDown and they used official website rospotrebnadzor.ru as a decoy. XDDown is the main malware and a downloader. It persists on the system using the traditional Run key, and downloads additional plugins from the C2 server using the HTTP protocol.