A cyber espionage group known as XDSpy [4], identified by CERT.BY in 2020 [1] [3], has been conducting a phishing campaign targeting organizations in Russia and Moldova since 2011. This group has been associated with infostealer attacks against government agencies in Eastern Europe and the Balkans.

Description

Recent attacks by XDSpy involve spear-phishing emails with agreement-related lures to distribute a RAR archive file containing a legitimate executable and a malicious DLL file [1] [2]. The DLL is executed using DLL side-loading techniques to fetch and run DSDownloader [1], which downloads the next-stage malware from a remote server [1]. XDSpy has also used the UTask dropper against Russian firms in the past 12 months [4]. Additionally, a new campaign by the Turla group utilizes a malicious Windows shortcut (LNK) file to serve a fileless backdoor that can execute PowerShell scripts and disable security features [1], including memory patching and bypassing AMSI [1]. G DATA researchers noted the use of Microsoft’s msbuild.exe to implement AWL Bypass for evasion [1]. A Belarusian threat operation known as GhostWriter has also been targeting Ukrainian organizations with phishing attacks deploying the PicassoLoader malware to facilitate Cobalt Strike Beacon compromise. The onset of the Russo-Ukrainian war in 2022 has seen an increase in cyber attacks [2], with Russian companies targeted by DarkWatchman RAT and activity clusters such as Core Werewolf [2], Hellhounds [2], PhantomCore [2], Rare Wolf [2], ReaverBits [2], and Sticky Werewolf [2].

Conclusion

The rise of cyber attacks by groups like XDSpy, Turla [1], and GhostWriter highlights the ongoing threat to organizations in Russia, Moldova [1] [2] [3] [4], Ukraine, and beyond. It is crucial for businesses and government agencies to enhance their cybersecurity measures to mitigate the risks posed by these sophisticated threat actors. The evolving tactics and techniques used by these groups underscore the need for continuous monitoring, threat intelligence sharing, and collaboration among cybersecurity professionals to defend against future attacks.

References

[1] https://thehackernews.com/2024/07/cyber-espionage-group-xdspy-targets.html
[2] https://cyber.vumetric.com/security-news/2024/07/31/cyber-espionage-group-xdspy-targets-companies-in-russia-and-moldova/
[3] https://vulners.com/thn/THN:3F7F98A71AFE2E42250CBFA6D1B26933
[4] https://www.scmagazine.com/brief/russia-moldova-subjected-to-xdspy-phishing-campaign