Russian and Moldovan companies have been targeted in a phishing campaign orchestrated by a little-known cyberespionage group. XDSpy.
The findings were published by cybersecurity firm FACCT, which said the infection chain leads to the deployment of malware called DSDownloader, adding that the activity was spotted this month.
XDSpy is a threat actor of unknown origins that was first discovered by the Belarusian Computer Emergency Response Team (CERT.BY) in February 2020. Subsequent analysis by ESET revealed that the group has been conducting information theft attacks targeting government organizations in Eastern Europe and the Balkans since 2011.
The attack chains launched by the attackers are known to utilize spear-phishing emails to inject a primary malware module called XDDown into the target, dropping additional plugins that gather system information, enumerate the C: drive, monitor external drives, exfiltrate local files, and harvest passwords.
Over the past year, XDSpy has been observed targeting Russian organizations using a C#-based dropper called UTask, responsible for downloading a core module in the form of an executable file that can retrieve further payloads from a command and control (C2) server.
The latest wave of attacks uses phishing emails containing contract-related lures to spread RAR archive files that contain a legitimate executable and a malicious DLL file, which is then executed by the former using a DLL side-loading technique.
This library is responsible for downloading and executing DSDownloader, which then opens a decoy file to provide a distraction while covertly downloading the next stage of malware from a remote server. According to FACCT, at the time of analysis the payload was no longer available for download.
The outbreak of the Russia-Ukraine war in 2022 has led to a significant increase in cyber attacks on both sides, with Russian companies being compromised in recent months by the DarkWatchman RAT as well as activity clusters tracked as Core Werewolf, Hellhounds, PhantomCore, Rare Wolf, ReaverBits, Sticky Werewolf, and others.
Additionally, pro-Ukrainian hacktivist groups such as Cyber.Anarchy.Squad have also targeted Russian organizations, conducting hacking and exfiltration operations and destructive attacks against Infotel and Avanpost.
The development comes after Ukraine’s Computer Emergency Response Team (CERT-UA) warned of a surge in phishing attacks by Belarusian threat actor UAC-0057 (aka GhostWriter and UNC1151), who is distributing a malware family called PicassoLoader aimed at dropping Cobalt Strike Beacon on infected hosts.
It also follows the discovery of a new attack campaign by the Russia-linked Turla group, which is using malicious Windows shortcut (LNK) files as a vector to deliver a fileless backdoor capable of disabling security features by executing PowerShell scripts received from a legitimate but compromised server.
“It also weakens system defenses by using memory patches, bypassing AMSI, disabling system event logging, etc. to strengthen its evasion capabilities,” G DATA researchers said. “It also implements an AWL (Application Whitelist) bypass by leveraging Microsoft’s msbuild.exe to avoid detection.”
