Recently, in July 2024, F.A.C.T. Threat Intelligence uncovered new attacks by the XDSPY Cyberspion group that were targeted at Russian companies. The XDSPY group utilized phishing emails to distribute links to RAR archives containing legitimate executable files (.Exe) and malicious libraries (MSI.DLL). The attackers employed the DLL Sideloading technique to activate the malicious software, with the main threat stemming from the library that loads and launches additional malware in xDspy.dsdownloader.
The primary focus of these attacks was a Russian IT company specializing in software development for cash registers. Additionally, an organization in Tiraspol, Transnistria, could potentially be a victim, as one of the archives was uploaded from this location to Virustotal.
The perpetrators of the attacks impersonated the senders of the phishing emails. For instance, one email with the subject “Access to documents” contained a link to the malicious archive, followed by a second email with the subject “Agreement, on behalf of the chief” sent to the same target organization.
Inside the RAR archive, there were two PE32+format executable files: a legitimate file named PDF_20240615_00003645.exe and a malicious library named msi.dll, which would be loaded upon launching the legitimate file.
The harmful library xDspy.dsdownloader was responsible for loading and initiating a payload file through various methods to embed itself in the system. Its main functions included extracting a fake document to distract the victim, copying MSI.DLL and the legitimate executable file to a specific directory, creating a registry key for autostarting the malware, loading a payload file from the attackers’ server and launching it.
Tragically, the payload file was unavailable at the time of analysis, complicating a full understanding of the threat’s magnitude. Vitals such as the names of the document, registry keys, and download links are encrypted within the malicious software. The names of the invoked Winapi functions are also encrypted with a basic algorithm.
The XDSPY group primarily targets Russian enterprises in military, financial, government, mining, research, and energy sectors. Despite significant efforts by cybersecurity specialists worldwide, the true motives of this hacker group remain unclear.