APT in action: XDSpy and Sandworm
Numerous advanced persistent threat (APT) groups have been attacking governments and the private sector. Some of them operated undetected for as long as a decade.
In the past six months, some notable APT attacks have been revealed, targeting countries across Europe and verticals - from the government to military entities and private companies. During Europe cybersecurity day, ESET senior malware researcher Robert Lipovsky looks at two notable APT groups that are still at large - XDSpy and Sandworm.
XDSpy - undetected for almost a decade
“One of the key characteristics and requirements of APT is stealth - the ability for the malware to go undetected for as long as possible in order to carry out the purpose of the operation. XDSpy achieved just that,” Lipovsky explained.
This APT group managed to stay under the radar for nine years. ESET researchers were able to track their activity as far back as 2011. For nearly ten years, there was no public reporting about XDSpy, which, according to Lipovsky, is quite uncommon.
Researchers were not able to link XDSpy to any publicly known APT group. They believe the developers might be working in the UTC+2 or UTC+3 time zone, Monday to Friday, suggesting a professional activity.
The first time this APT group's activity was disclosed was in February 2020, when the Belarusian CERT published a blog post, including indicators of compromise, command, and control domains. ESET linked the APT described in the report to the detections in their telemetry.
“According to our own telemetry, they targeted five different countries - Russia, Belarus, Ukraine, Moldova, and Serbia. The targets were in the following verticals - military, government institutions and diplomats, academics, and private companies in a wide range of industries,” Lipovsky said.
XDSpy infection, he explained further, begins with a spear-phishing email, and this is the only compromise vector that researchers are aware of. Some of the emails contain an attachment, others - a link to a malicious file. At the end of the chain is the main malware competent, called XDDown. It downloads additional plugins. Here are the plugins that researchers were able to discover during their research:
- XDREcon is used to gather basic information about the victim machine, like the computer name, the current user name, and the volume serial number of the main drive.
- XDList crawls the C Drive for interesting files. These are the extensions that it is searching for and exfiltrates the paths to these files. It can also take screenshots.
- XDMonitor is similar to XDList, but instead of crawling the C Drive, it monitors for removable drives and, when they are inserted, crawls them recursively.
- XDUpload exfiltrates files from the file system to the CNC server.
- XDLoc - it is used to gather SSIDs of nearby Wifi access points, probably to geolocate the victim machines.
- XDPass is a standard browser password stealer.
Lipovsky called this APT not too sophisticated but good enough to trick some recipients. Like other APTs, XDSpy exploited the COVID-19 topic in their attacks.
“XDSpy is a previously undocumented APT group which has been active since 2011. Their main goal is to steal documents from their victims, they targeted a number of high-value targets in a number of European countries, and it's one of the many APTs to use the COVID-19 theme in their campaigns,” the researcher summed up.
Sandworm: the Exaramel backdoor
Sandworm's most infamous, widely publicized attacks were dated between 2015 and 2018, but this APT group, according to the researchers, is still active today. The Sandworm is allegedly a Russian cyber military unit of the GRU.
“In February this year, the French national information security agency (ANSSI) released a report revealing an intrusion campaign, targeting the Centreon AI monitoring software, which resulted in a breach of several French organizations. The campaign lasted from 2017 until 2020, and it affected mostly IT providers, especially web-hosting providers,” Lipovsky explained.
Two backdoors were discovered on the compromised systems - the PAS web shell and the Exaramel backdoor.
“The Sandworm APT group needs little introduction. We've been tracking the group since the early days, even before the first Ukrainian power grid attack. When we discovered Industroyer, and that was behind the second power grid attack in Ukraine a year after the BlackEnergy attack, we thought the attack was done by the Sandworm group, but we had no proof. That evidence only came later, in April 2018, when we found Exaramel. It was a Sandworm backdoor, specifically part of the Telebotic activity cluster, and it had actual code similarity with the main Industroyer backdoor,” Lipovsky explained.
Centreon, he argued, was not a victim of a supply chain attack. The attackers exploited insulations of out-of-date versions of the Centreon IT monitoring software, not the company itself.
“Centreon was not distributing malicious code. The fact that this was not a supply chain attack is a good thing as finding otherwise would indicate a serious compromise with much more far-reaching consequences,” the researcher said.
Despite that, organizations have been using vulnerable versions of Centreon IT monitoring software, and attackers took advantage to compromise them.
“There are lessons to be learned from this. The past six months have shown that it is business as usual for APT groups, including highly sophisticated ones like Sandworm, to less advanced ones but still capable of staying under the radar and likely achieving their goals, like XDSpy,” Lipovsky said.
If you want to find out more about the APT groups at large, read CyberNews article The world’s most dangerous state-sponsored hacker groups, where our senior researcher delves into the universe of the state-sponsored hacker groups, often named after animals, such as dragons and kittens.
The number of cyberattacks during the lockdowns soared, and ESET in the last quarter of 2020 alone uncovered as many attacks as the whole industry saw in one year just a few years back.
“Considering how much cyber criminals and APT actors have to gain from them, the numbers will only continue growing moving forward both in Europe and globally. Minimizing the risk of supply chain attacks requires a constant loop of risk and compliance management,” Lipovsky said.
Here are his few practical bits of advice:
- Know your software, keep an inventory of all tools used by your organization, both open-source and proprietary.
- Keep an eye for known vulnerabilities and apply patches as soon as they are available.
- Stay alert for breaches of third-party software vendors. Drop any redundant or outdated system services or protocols.
- Request regular code audits and penetration tests to identify potential hazards.
- Request access controls and 2FA to secure software development processes.
- Run security software with multiple layers of protection.
More great CyberNews stories:
Subscribe to our newsletter