Dragos security researchers identified a new cybercriminal group Hexane that aims industrial control systems in…
“Currently, XDSpy activity has stopped, and this happened after the warning published by the Belarusian CERT in February this year. In fact, then the experts discovered one of the malicious hacker campaigns, which was described in detail in the document. Information from the Belarusian CERT became the starting point for launching the ESET investigation and helped analysts discover past XDSpy operations”, – told ESET researchers.
The main tool of the hack group was a set of malware called XDDown. Although the malware, according to the researchers, was not the most modern, it was enough to infect the machines of victims and collect sensitive data. In essence, XDDown is a downloader used to infect and then download various plug-ins that perform specialized tasks.
Actually, due to this feature security solutions did not detect XDDown.
Among the XDDown modules were found:
The XDSpy malware was distributed by mail using targeted phishing attacks. So, it is known that the group used decoy letters related to lost and found items, as well as the coronavirus pandemic. These emails contained malicious attachments, including Powerpoint files, JavaScript, ZIP or shortcuts (LNK). Downloading and running any of these files resulted in infection.
According to experts, a number of factors point to the fact that XDSpy is a government hack group. For example, malicious modules intentionally lack a resilience mechanism, that is, XDDown had to reload each module after rebooting the infected machine.
In addition, some XDDown plugins were equipped with special “switches” that removed them after a certain date. All of this suggests that XDSpy relies on secrecy, tries to remain unnoticed and avoid disclosing its tools. This is typical mode of work of governmental hackers.
“Thus, they used the same code base for 9 years, and also had the ability to bypass some security products through obfuscation”, — summarize the experts.
Indicators of compromise have already been published on GitHub, including all known details about the XDSpy framework and their malware.
Let me remind you that Lookout experts also discovered link between Chinese hackers and defense contractor. We also highly recommend to read the epic story from Crowdstrike about the creation of the Chinese Comac C919 aircraft, which was accompanied by hacker attacks and cyber espionage.
News-bpudepi.today is a domain that tries to trick you into subscribing to its browser notifications…
Doguhtam.xyz is a site that tries to trick you into subscribing to its browser notifications…
News-xlixoti.com is a site that tries to force you into subscribing to its browser notifications…
Ducesousightion.com is a domain that tries to trick you into clik to its browser notifications…
News-xlabica.live is a domain that tries to trick you into clik to its browser notifications…
Mergechain.co.in is a site that tries to trick you into subscribing to its browser notifications…