SYMBOLCOMMON_NAMEaka. SYNONYMS
win.xdspy (Back to overview)

XDSpy


According to ESET Research, XDDown is a primary malware component and is strictly a downloader. It persists on the system using the traditional Run key. It downloads additional plugins from the hardcoded C&C server using the HTTP protocol. The HTTP replies contain PE binaries encrypted with a hardcoded two-byte XOR key. Plugins include a module for reconnaissance on the affected system, crawling drives, file exfiltration, SSID gathering, and grabbing saved passwords.

References
2021-04-29ESET ResearchRobert Lipovsky, Matthieu Faou, Tony Anscombe, Andy Garth, Daniel Chromek
@techreport{lipovsky:20210429:eset:ff67b6c, author = {Robert Lipovsky and Matthieu Faou and Tony Anscombe and Andy Garth and Daniel Chromek}, title = {{ESET Industry Report on Government: Targeted but not alone}}, date = {2021-04-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf}, language = {English}, urldate = {2021-05-03} } ESET Industry Report on Government: Targeted but not alone
Exaramel Crutch Exaramel HyperBro HyperSSL InvisiMole XDSpy
2020-10-02ESET ResearchMatthieu Faou
@online{faou:20201002:xdspy:c3724c7, author = {Matthieu Faou}, title = {{XDSpy: Stealing government secrets since 2011}}, date = {2020-10-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/}, language = {English}, urldate = {2020-10-05} } XDSpy: Stealing government secrets since 2011
XDSpy XDSpy
2020-10-01Github (eset)Matthieu Faou
@online{faou:20201001:xdspy:33a6429, author = {Matthieu Faou}, title = {{XDSpy Indicators of Compromise}}, date = {2020-10-01}, organization = {Github (eset)}, url = {https://github.com/eset/malware-ioc/tree/master/xdspy/}, language = {English}, urldate = {2020-10-08} } XDSpy Indicators of Compromise
XDSpy XDSpy
2020-09-30Virus BulletinMatthieu Faou, Francis Labelle
@techreport{faou:20200930:xdspy:3189c15, author = {Matthieu Faou and Francis Labelle}, title = {{XDSPY: STEALING GOVERNMENT SECRETS SINCE 2011}}, date = {2020-09-30}, institution = {Virus Bulletin}, url = {https://vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf}, language = {English}, urldate = {2020-10-08} } XDSPY: STEALING GOVERNMENT SECRETS SINCE 2011
XDSpy XDSpy
Yara Rules
[TLP:WHITE] win_xdspy_auto (20230125 | Detects win.xdspy.)
rule win_xdspy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.xdspy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xdspy"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 50 e8???????? ffb56cd8ffff 8d8570d8ffff 6800040000 }
            // n = 6, score = 200
            //   57                   | push                edi
            //   50                   | push                eax
            //   e8????????           |                     
            //   ffb56cd8ffff         | push                dword ptr [ebp - 0x2794]
            //   8d8570d8ffff         | lea                 eax, [ebp - 0x2790]
            //   6800040000           | push                0x400

        $sequence_1 = { ff15???????? 85c0 751f 68???????? 53 e8???????? }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   751f                 | jne                 0x21
            //   68????????           |                     
            //   53                   | push                ebx
            //   e8????????           |                     

        $sequence_2 = { 898594fdffff 3bc1 0f87ad090000 ff24858a644000 }
            // n = 4, score = 200
            //   898594fdffff         | mov                 dword ptr [ebp - 0x26c], eax
            //   3bc1                 | cmp                 eax, ecx
            //   0f87ad090000         | ja                  0x9b3
            //   ff24858a644000       | jmp                 dword ptr [eax*4 + 0x40648a]

        $sequence_3 = { 50 e8???????? 83c414 47 3bfb 7cd1 8d8510ecffff }
            // n = 7, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   47                   | inc                 edi
            //   3bfb                 | cmp                 edi, ebx
            //   7cd1                 | jl                  0xffffffd3
            //   8d8510ecffff         | lea                 eax, [ebp - 0x13f0]

        $sequence_4 = { 3bc8 7cf1 53 50 8d85ecd8ffff 6a01 }
            // n = 6, score = 200
            //   3bc8                 | cmp                 ecx, eax
            //   7cf1                 | jl                  0xfffffff3
            //   53                   | push                ebx
            //   50                   | push                eax
            //   8d85ecd8ffff         | lea                 eax, [ebp - 0x2714]
            //   6a01                 | push                1

        $sequence_5 = { 33c0 40 8b8d2c2f0000 5f 5e 33cd }
            // n = 6, score = 200
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   8b8d2c2f0000         | mov                 ecx, dword ptr [ebp + 0x2f2c]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   33cd                 | xor                 ecx, ebp

        $sequence_6 = { 68???????? 50 e8???????? 59 59 89856cd8ffff 85c0 }
            // n = 7, score = 200
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   89856cd8ffff         | mov                 dword ptr [ebp - 0x2794], eax
            //   85c0                 | test                eax, eax

        $sequence_7 = { 8d4584 56 50 e8???????? 8d4584 57 }
            // n = 6, score = 200
            //   8d4584               | lea                 eax, [ebp - 0x7c]
            //   56                   | push                esi
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d4584               | lea                 eax, [ebp - 0x7c]
            //   57                   | push                edi

        $sequence_8 = { 488b05???????? 33c9 488905???????? 0fb705???????? }
            // n = 4, score = 100
            //   488b05????????       |                     
            //   33c9                 | lea                 eax, [ebp + 0x590]
            //   488905????????       |                     
            //   0fb705????????       |                     

        $sequence_9 = { 488d4001 3818 75f6 488d8590050000 389d90050000 }
            // n = 5, score = 100
            //   488d4001             | dec                 eax
            //   3818                 | lea                 eax, [eax + 1]
            //   75f6                 | cmp                 byte ptr [eax], bl
            //   488d8590050000       | jne                 0xfffffff8
            //   389d90050000         | dec                 eax

        $sequence_10 = { 488d85100b0000 7410 0f1f440000 fe08 488d4001 }
            // n = 5, score = 100
            //   488d85100b0000       | jl                  0xffffffe8
            //   7410                 | dec                 eax
            //   0f1f440000           | mov                 ecx, ebx
            //   fe08                 | nop                 dword ptr [eax]
            //   488d4001             | movzx               eax, byte ptr [ecx + esi + 0x17a9f8]

        $sequence_11 = { 4c89bc24d0140000 c744244000010000 e8???????? f30f6f05???????? 33ff 4c8d3d927fffff }
            // n = 6, score = 100
            //   4c89bc24d0140000     | cmp                 byte ptr [ebp + 0x590], bl
            //   c744244000010000     | xor                 ecx, ecx
            //   e8????????           |                     
            //   f30f6f05????????     |                     
            //   33ff                 | dec                 esp
            //   4c8d3d927fffff       | mov                 dword ptr [esp + 0x14d0], edi

        $sequence_12 = { c605????????74 c705????????78743360 bf50000000 c705????????34332f65 66c705????????6d6d e8???????? }
            // n = 6, score = 100
            //   c605????????74       |                     
            //   c705????????78743360     |     
            //   bf50000000           | mov                 byte ptr [esp + ecx + 0x30], al
            //   c705????????34332f65     |     
            //   66c705????????6d6d     |     
            //   e8????????           |                     

        $sequence_13 = { 66c705????????6d6d 66660f1f840000000000 420fb68439b0a71700 88840df0290000 488d4901 }
            // n = 5, score = 100
            //   66c705????????6d6d     |     
            //   66660f1f840000000000     | lea    edx, [ebp + 0x9e0]
            //   420fb68439b0a71700     | dec    eax
            //   88840df0290000       | mov                 ecx, eax
            //   488d4901             | dec                 eax

        $sequence_14 = { 4883f90b 7ce6 488bcb 0f1f00 0fb68431f8a91700 88440c30 }
            // n = 6, score = 100
            //   4883f90b             | mov                 dword ptr [esp + 0x40], 0x100
            //   7ce6                 | xor                 edi, edi
            //   488bcb               | dec                 esp
            //   0f1f00               | lea                 edi, [0xffff7f92]
            //   0fb68431f8a91700     | dec                 eax
            //   88440c30             | cmp                 ecx, 0xb

        $sequence_15 = { 488d95e0090000 488bc8 ff15???????? 488bd3 }
            // n = 4, score = 100
            //   488d95e0090000       | dec                 eax
            //   488bc8               | lea                 eax, [ebp + 0xb10]
            //   ff15????????         |                     
            //   488bd3               | je                  0x12

    condition:
        7 of them and filesize < 3244032
}
Download all Yara Rules