In July 2024, F.A.C.C.T. Threat Intelligence reported XDSpy cyber espionage attacks against Russian IT companies, using phishing emails delivering RAR archives containing a legitimate EXE and a malicious DLL (msi.dll) loaded via DLL Side-Loading. The dropped loader, XDSpy.DSDownloader, then fetches additional payloads; IOCs include file hashes, registry keys, and URLs. #XDSpy #DSDownloader #FACCTThreatIntelligence #RussianIT
Keypoints
- XDSpy targeted Russian IT companies, especially those developing software for cash-register systems.
- Phishing emails spoof real sender addresses to deceive recipients.
- The RAR archive contained a legitimate executable and a malicious DLL (msi.dll).
- DLL Side-Loading technique was used to load and execute the malicious payload.
- The malicious library functions as a downloader for additional payloads (XDSpy.DSDownloader).
- A range of indicators of compromise includes file hashes, registry keys, and URLs.
MITRE Techniques
- [T1574.002] Hijack Execution Flow – DLL Side-Loading – Used to load malicious DLL by leveraging legitimate executable files: “Utilized legitimate executable files to load malicious DLL (msi.dll).”
- [T1566] Phishing – “Phishing emails sent to target organizations to deliver malicious payloads.”
- [T1547.001] Registry Run Keys / Startup Folder – “Created registry keys to ensure persistence of the malicious payload upon system startup.”
Indicators of Compromise
- [File Hashes] Hash values associated with RAR archives and DLLs used in the campaigns – pdf_20240615_00003645.rar (MD5: 1c34280a2228793aad681089179ec0b3; SHA-1: a84d557cc726f521354a308436b0620fbe1a051f; SHA-256: 45bbe6950cabe649513edbe819440935d6be5a6ef715c01f7a95862225262da0) and pismo-22-07-2024_0001.rar (MD5: 94aab070678e6d84f0287cfedc037300; SHA-1: 7741436dcaf11e16e330cc52a133b6ef59a12812; SHA-256: 03ea832f0b7531026f1d87dc84ec03f65fe11f3e9de032e5e862b70d8cf0d2d8), and 3 more hashes
- [Domains] Domains associated with the campaign – protej.org, nashtab.org, obshchiye-resursy.com, sbordokumentov.com, and 2 more domains
- [IP Addresses] IPs used in infrastructure – 89.114.69.65, 89.114.69.48, and 3 more IP addresses
- [URLs] Download/command-and-control URLs – hxxps://protej.org/zpwidnydav/?e&n=bVq7NwlXhjYOMT, hxxps://nashtab.org/biyasqbuk4/?e&n=GuVZoipdI2UIxk, and 6 more URLs
- [File Paths] Paths to observed files – C:UsersPublicpdf_20240615_00003645.exe, C:UsersPublicpismo-22-07-2024_0001.exe, and 1 more file path
- [Registry Keys] Registry Run entries observed – [HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun] pdf_20240615_00003645.exe = “C:UsersPublicpdf_20240615_00003645.exe” and [HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun] pismo-22-07-2024_0001.exe = “C:UsersPublicpismo-22-07-2024_0001.exe”
Read more: https://habr.com/ru/companies/f_a_c_c_t/news/831420/