Companies in Russia and Moldova have been targeted by a phishing campaign organized by a little-known cyber espionage group known as XDSpy.
The findings come from cybersecurity firm FACCT, which said the infection chains lead to the deployment of malware called DDSownloader. Activity was observed this month as well, it added.
XDSpy is a menacing actor of uncertain origin who was the first uncovered By the Belarusian Computer Emergency Response Team, CERT.BY, in February 2020. Next analysis by ESET attributed to group to attacks to steal information since 2011, assigned to government agencies in Eastern Europe and the Balkans.
Attack chains orchestrated by adversaries are known to use phishing emails to infiltrate their targets with a core malware module known as XDDown, which in turn drops additional plugins to collect system information, enumerate the C: drive, monitoring external drives, stealing local files and collecting passwords.
Over the last year, XDSpy has been is observed targeting Russian organizations with a C#-based dropper called UTask, which is responsible for loading the core module as an executable that can receive more payloads from the command and control server (C2).
The latest set of attacks involves using phishing emails with agreement-related lures to distribute a RAR archive containing a legitimate executable and a malicious DLL file. The DLL is then executed using the first using the DLL’s sideloading methods.
The library takes care of downloading and running DDSownloader, which in turn opens a decoy file to distract the user while stealthily downloading the next-stage malware from a remote server. FACCT said the payload was no longer available for download at the time of analysis.
The start of the Russian-Ukrainian war in 2022 witnessed a significant escalation of cyber attacks on both sides, with Russian companies compromised by DarkWatchman RAT as well as by clusters of activity tracked as Core Werewolf, Hell dogs, PhantomCore, A rare wolf, ReaverBitsand Sticky werewolfamong other things in recent months.
Moreover, pro-Ukrainian hacktivist groups such as Cyber.Anarchy.Squad have also targeted Russian organizations with hacking and information leakage operations and disruptive attacks against Infotel and Pledge.
The development comes from the Computer Emergency Response Team of Ukraine (CERT-UA) warned about the surge of phishing attacks carried out by the Belarusian threat actor under the name UAC-0057 (aka GhostWriter and UNC1151) that distribute a malware family called PicassoLoader with the goal of dropping the Cobalt Strike Beacon on the infected hosts.
It also follows the discovery of a new company linked to Russia Tower a group that uses a malicious Windows Shortcut (LNK) file as a conduit to serve a fileless backdoor that can execute PowerShell scripts obtained from a legitimate but compromised server and disable security features.
“It also uses memory patches, bypasses AMSI, and disables system event logging features to degrade system defenses and increase its evasion capabilities,” G DATA researchers said. “It uses Microsoft’s msbuild.exe to implement AWL (application whitelist) bypass to avoid detection.”
