XDSpy Cyber Espionage Campaign Targets Russian and Moldovan Entities in July 2024

In July 2024, the cyber espionage group XDSpy launched a targeted attack against Russian companies and a potential target in Moldova. The campaign involved sophisticated phishing tactics, where attackers sent emails containing links to download RAR archives. These archives included a legitimate executable file and a malicious dynamic link library (DLL) named msi.dll.

The attackers employed the DLL Side-Loading technique, leveraging the legitimate executable to load and execute the malicious DLL. This DLL, identified as part of the XDSpy.DSDownloader family, acted as a loader for the campaign's payload.

Targeted Entities in Russia and Moldova

The attack targeted a Russian IT company specializing in software for cash registers and possibly an organization in Tiraspol, Transnistria. The use of a decoy document, which was extracted and saved to the user's directory, served to distract the victim while the malicious activities took place in the background.

Key Functionalities of XDSpy.DSDownloader Malware

The XDSpy.DSDownloader malware exhibits several key functionalities, including copying the msi.dll and the legitimate executable to the "C:\Users\Public" directory and creating a registry key entry to ensure persistence. The malware also downloads a payload file from a malicious server, using a specific User-Agent string mimicking legitimate browser traffic.

While the payload file was unavailable at the time of investigation, the campaign's intent and methods highlight the continued threat posed by sophisticated cyber espionage groups like XDSpy.

Potential Payload and RAR Archive Contents

Based on previous attacks by the XDSpy group, it is assumed that the phishing emails in this malicious campaign were intended to deliver a RAR archive containing the XDSpy.DSDownloader malware. However, the RAR archives were unavailable at the time of the study, preventing direct analysis of the contents.

RAR Archive Analysis

The RAR archive typically contains two executable files in the PE32+ format:

Example of RAR Archive Contents

The combination of these files within the RAR archive demonstrates the group's use of sophisticated techniques, including the DLL Side-Loading method, to mask malicious activities behind legitimate software. This method not only helps evade detection but also exploits trust in well-known applications.

Functional Features of XDSpy.DSDownloader

The XDSpy.DSDownloader malware is characterized by several key functionalities:

Important Strings and Obfuscation Techniques

The malware contains several important strings in plaintext, including the names of the decoy document, legitimate executable, malicious DLL, payload file, registry key, public directory path, payload download link, and User-Agent header line. Additionally, the names of called WinAPI functions are hashed using a simple algorithm, adding a layer of obfuscation to hinder analysis and detection.

In this example, the malware first loads the necessary module (e.g., "kernel32.dll") using the LoadLibrary function. After successfully loading the module, it retrieves the address of the required WinAPI function using the GetProcAddress function.

Domains and URLs

IP Addresses

File Paths

The following file paths are associated with the XDSpy.DSDownloader malware:

Registry Keys

The following registry keys are used by XDSpy.DSDownloader for persistence:

Summary

The XDSpy cyber espionage campaign utilizes various indicators of compromise to execute and maintain its malicious presence. By monitoring and analyzing these domains, IP addresses, file paths, and registry keys, organizations can better detect and respond to the XDSpy threat.

Ensuring comprehensive security measures and up-to-date defenses is essential to protect against such sophisticated cyber threats.

Conclusion

The XDSpy cyber espionage campaign of July 2024 underscores the advanced capabilities of modern threat actors. By leveraging sophisticated phishing tactics, DLL Side-Loading, and obfuscation techniques, XDSpy demonstrates the need for robust cybersecurity measures and heightened vigilance against advanced persistent threats (APTs).

Organizations must remain proactive in their defenses to mitigate the risks posed by such sophisticated cyber threats.

About us!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.