SYMBOLCOMMON_NAMEaka. SYNONYMS
win.xdspy (Back to overview)

XDSpy


According to ESET Research, XDDown is a primary malware component and is strictly a downloader. It persists on the system using the traditional Run key. It downloads additional plugins from the hardcoded C&C server using the HTTP protocol. The HTTP replies contain PE binaries encrypted with a hardcoded two-byte XOR key. Plugins include a module for reconnaissance on the affected system, crawling drives, file exfiltration, SSID gathering, and grabbing saved passwords.

References
2021-04-29ESET ResearchRobert Lipovsky, Matthieu Faou, Tony Anscombe, Andy Garth, Daniel Chromek
@techreport{lipovsky:20210429:eset:ff67b6c, author = {Robert Lipovsky and Matthieu Faou and Tony Anscombe and Andy Garth and Daniel Chromek}, title = {{ESET Industry Report on Government: Targeted but not alone}}, date = {2021-04-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf}, language = {English}, urldate = {2021-05-03} } ESET Industry Report on Government: Targeted but not alone
Exaramel Crutch Exaramel HyperBro HyperSSL InvisiMole XDSpy
2020-10-02ESET ResearchMatthieu Faou
@online{faou:20201002:xdspy:c3724c7, author = {Matthieu Faou}, title = {{XDSpy: Stealing government secrets since 2011}}, date = {2020-10-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/}, language = {English}, urldate = {2020-10-05} } XDSpy: Stealing government secrets since 2011
XDSpy XDSpy
2020-10-01Github (eset)Matthieu Faou
@online{faou:20201001:xdspy:33a6429, author = {Matthieu Faou}, title = {{XDSpy Indicators of Compromise}}, date = {2020-10-01}, organization = {Github (eset)}, url = {https://github.com/eset/malware-ioc/tree/master/xdspy/}, language = {English}, urldate = {2020-10-08} } XDSpy Indicators of Compromise
XDSpy XDSpy
2020-09-30Virus BulletinMatthieu Faou, Francis Labelle
@techreport{faou:20200930:xdspy:3189c15, author = {Matthieu Faou and Francis Labelle}, title = {{XDSPY: STEALING GOVERNMENT SECRETS SINCE 2011}}, date = {2020-09-30}, institution = {Virus Bulletin}, url = {https://vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf}, language = {English}, urldate = {2020-10-08} } XDSPY: STEALING GOVERNMENT SECRETS SINCE 2011
XDSpy XDSpy
Yara Rules
[TLP:WHITE] win_xdspy_auto (20210616 | Detects win.xdspy.)
rule win_xdspy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.xdspy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xdspy"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bc1 c1f805 8bf1 8d3c85804e4100 8b07 83e61f }
            // n = 6, score = 200
            //   8bc1                 | mov                 eax, ecx
            //   c1f805               | sar                 eax, 5
            //   8bf1                 | mov                 esi, ecx
            //   8d3c85804e4100       | lea                 edi, dword ptr [eax*4 + 0x414e80]
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   83e61f               | and                 esi, 0x1f

        $sequence_1 = { 85c0 750d e8???????? 8ac3 5b e9???????? }
            // n = 6, score = 200
            //   85c0                 | test                eax, eax
            //   750d                 | jne                 0xf
            //   e8????????           |                     
            //   8ac3                 | mov                 al, bl
            //   5b                   | pop                 ebx
            //   e9????????           |                     

        $sequence_2 = { 59 59 8b7508 8d34f548044100 }
            // n = 4, score = 200
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8d34f548044100       | lea                 esi, dword ptr [esi*8 + 0x410448]

        $sequence_3 = { 50 e8???????? 59 50 ff35???????? 8d8574ecffff }
            // n = 6, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   50                   | push                eax
            //   ff35????????         |                     
            //   8d8574ecffff         | lea                 eax, dword ptr [ebp - 0x138c]

        $sequence_4 = { 7414 8d4580 50 68???????? 56 }
            // n = 5, score = 200
            //   7414                 | je                  0x16
            //   8d4580               | lea                 eax, dword ptr [ebp - 0x80]
            //   50                   | push                eax
            //   68????????           |                     
            //   56                   | push                esi

        $sequence_5 = { 85c0 0f8474ffffff 5f 56 ff35???????? e8???????? }
            // n = 6, score = 200
            //   85c0                 | test                eax, eax
            //   0f8474ffffff         | je                  0xffffff7a
            //   5f                   | pop                 edi
            //   56                   | push                esi
            //   ff35????????         |                     
            //   e8????????           |                     

        $sequence_6 = { ffd3 85c0 7414 8d4580 }
            // n = 4, score = 200
            //   ffd3                 | call                ebx
            //   85c0                 | test                eax, eax
            //   7414                 | je                  0x16
            //   8d4580               | lea                 eax, dword ptr [ebp - 0x80]

        $sequence_7 = { 55 8bec 53 56 57 bf88130000 57 }
            // n = 7, score = 200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   bf88130000           | mov                 edi, 0x1388
            //   57                   | push                edi

        $sequence_8 = { 0f1f440000 420fb68429b8a21700 88840d30050000 488d4901 84c0 75e8 488d8530050000 }
            // n = 7, score = 100
            //   0f1f440000           | dec                 esp
            //   420fb68429b8a21700     | lea    ebx, dword ptr [0xffff202e]
            //   88840d30050000       | inc                 esp
            //   488d4901             | cmp                 esp, ebx
            //   84c0                 | inc                 ebp
            //   75e8                 | mov                 ebp, esp
            //   488d8530050000       | test                al, al

        $sequence_9 = { 84c0 75e8 488d85900c0000 4038bd900c0000 7413 0f1f840000000000 }
            // n = 6, score = 100
            //   84c0                 | cmp                 eax, 0x60
            //   75e8                 | jl                  0xffffffd5
            //   488d85900c0000       | dec                 eax
            //   4038bd900c0000       | lea                 edx, dword ptr [0x175cf8]
            //   7413                 | dec                 eax
            //   0f1f840000000000     | lea                 ecx, dword ptr [0x1e641]

        $sequence_10 = { 7410 488d9560260000 488bc8 ff15???????? 488d1540421700 498bcd }
            // n = 6, score = 100
            //   7410                 | je                  0x12
            //   488d9560260000       | dec                 eax
            //   488bc8               | lea                 edx, dword ptr [ebp + 0x2660]
            //   ff15????????         |                     
            //   488d1540421700       | dec                 eax
            //   498bcd               | mov                 ecx, eax

        $sequence_11 = { 4c8d0504930000 488d1501930000 e8???????? 488bf8 4885c0 7410 }
            // n = 6, score = 100
            //   4c8d0504930000       | dec                 eax
            //   488d1501930000       | lea                 edx, dword ptr [0x174240]
            //   e8????????           |                     
            //   488bf8               | dec                 ecx
            //   4885c0               | mov                 ecx, ebp
            //   7410                 | dec                 esp

        $sequence_12 = { 0f84e4030000 eb07 4c8d1d2e20ffff 443be3 458bec }
            // n = 5, score = 100
            //   0f84e4030000         | test                eax, eax
            //   eb07                 | je                  0x1f
            //   4c8d1d2e20ffff       | dec                 eax
            //   443be3               | add                 eax, 0x20
            //   458bec               | dec                 eax

        $sequence_13 = { 84c0 75e8 488d8520050000 4438bd20050000 }
            // n = 4, score = 100
            //   84c0                 | jne                 0xffffffea
            //   75e8                 | dec                 eax
            //   488d8520050000       | lea                 eax, dword ptr [ebp + 0xc90]
            //   4438bd20050000       | inc                 eax

        $sequence_14 = { 4883c020 4883f860 7ccf 488d15f85c1700 488d0d41e60100 4c8d0552e60100 }
            // n = 6, score = 100
            //   4883c020             | lea                 eax, dword ptr [0x9304]
            //   4883f860             | dec                 eax
            //   7ccf                 | lea                 edx, dword ptr [0x9301]
            //   488d15f85c1700       | dec                 eax
            //   488d0d41e60100       | mov                 edi, eax
            //   4c8d0552e60100       | dec                 eax

        $sequence_15 = { 4c8d3d70081700 0f1f840000000000 413bf4 0f8dae000000 }
            // n = 4, score = 100
            //   4c8d3d70081700       | dec                 esp
            //   0f1f840000000000     | lea                 eax, dword ptr [0x1e652]
            //   413bf4               | je                  0x3ea
            //   0f8dae000000         | jmp                 9

    condition:
        7 of them and filesize < 3244032
}
Download all Yara Rules