APT XDSpy Discovered After Years of Activity

Summary

A new advanced persistent threat (APT) group, dubbed XDSpy, remained undetected for nearly nine years before they were recently discovered by the ESET research team. The group has been involved in reconnaissance and document-stealing activity against targets in Belarus, Moldova, Russia, Serbia, and Ukraine, though other targets may still be unknown. XDSpy infects targets via emails containing malicious attachments and deploys the XDDown toolkit in their operations, which includes several modules to gather data, search infected devices for specific files, gather information about connected networks, and extract passwords from browsers. While ESET did not attribute the activity, XDSpy appears to be government-backed based on their operations.

Recommendations

The NJCCIC recommends those whose networks may be considered high-value targets for APT activity ensure they implement a defense-in-depth cybersecurity strategy that includes following the principle of least privilege, utilizing intrusion detection and prevention technologies, running an endpoint detection and response program, keeping hardware and software patched with the latest updates, and establishing a comprehensive data backup plan. For more information, review the Virus Bulletin abstract and ZDNet article.