XDSpy: stealing government secrets since 2011

Wednesday 30 September 16:00 - 16:30, Green room

Matthieu Faou (ESET)
Francis Labelle (ESET)

Early in 2020, ESET researchers discovered a previously undisclosed cyber espionage operation targeting several governments in Eastern Europe, the Balkans and Russia. Unusually, our research shows that this campaign has been active since at least 2011 with next to no changes in TTPs. It is very uncommon to find a cyber espionage operation without any public reporting after almost 10 years of activity.

A February 2020 Belarussian CERT advisory disclosed a spear-phishing campaign targeting several Belarussian ministries and agencies. Our research links this to XDSpy. The goal of that operation appears to be collecting documents from government staff such as diplomats or military personnel. Among the targets we also found a few private companies and academic institutions, suggesting that this actor is also responsible for economic espionage operations.

XDSpy tools are quite basic, although efficient. The malware samples are slightly obfuscated using string obfuscation and dynamic Windows API library loading. Their main functions include the monitoring of removable drives, taking screenshots and exfiltrating documents. In addition, we found a custom module collecting nearby Wi-Fi access point identifiers, probably with the objective of locating the compromised machines. They also use NirSoft utilities in order to recover passwords from web browsers and email clients. In some specific cases, we were able to retrieve lists of the paths to the stolen files. This allowed us to better understand the objective of this campaign.

This paper presents the full chain of XDSpy’s operations, from the phishing email to the spyware. We will also compare XDSpy’s TTPs with the ones of known APT groups operating in the same region in order to show that this campaign seems quite unique. Finally, we will provide the readers more high-level information about the campaign by going through some of the documents and targets of interest to the group.



Matthieu Faou

Matthieu Faou is a malware researcher at ESET where he specializes in researching targeted attacks. His main duties include threat hunting and reverse engineering of APTs. He finished his Master’s degree in computer science at École Polytechnique de Montréal and at École des Mines de Nancy in 2016. In the past, he has spoken at multiple conferences including BlueHat, RECON, CYBERWARCON, Virus Bulletin and Botconf.

silhouette.jpg Francis Labelle

A student at the École de Technologie Supérieure (E. T. S.), Francis has discovered an interest for information security at the start of his undergraduate studies. He has worked as an intern for ESET, GoSecure and Desjardins's ETTIC team. He has also given workshops for Montrehack and DCIÉTS, and has been a finalist in popular CTF events like Hack in Paris, CSAW and DefCamp.

Back to VB2020 Programme page

Other VB2020 papers

Payment required: rare HTTP statuses and air-gaps avoidance from the authors of COMPFun

Denis Legezo (Kaspersky)

Take care, spyware is slipping into your phones through Operation Poisoned News

Nelson William Gamazo Sanchez (Trend Micro)
Lilang Wu (Trend Micro)
Elliot Cao (Trend Micro)
Ecular Xu (Trend Micro)

Operation LagTime IT: colourful Panda footprint

Fumio Ozawa (NTT Security)

Shogo Hayashi (NTT Security)

Rintaro Koike (NTT Security)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.