XDDown Downloader Malware Tool Threat Intel Advisory

###### Type Malware tool
###### Method of deployment Spear-phishing

XDDown Downloader is a malware tool that is part of XDSpy’s arsenal. XDSpy is a hacker group that has been active since 2011. The group’s operations were detected in October 2020, targeting the region of Eastern Europe and the Balkans.

The group uses spear-phishing tactics to propagate the malware. The email’s content is updated frequently to adapt and bank off of current events such as the pandemic. The threat group attaches ZIP and RAR archives to carry the malicious LNK or PowerPoint file. In some cases the emails come without any attached files, and include only a direct download link. Once the user clicks over the link or downloads the malicious file, it initiates a corrupted script to drop XDDown on the compromised machine to a location at %APPDATA%\WINinit\WINlogon.exe. Also, persistence is achieved by exploiting a Windows registry Run key by command.

The key features of XDDown modules include:

  • XDREcon scans the host, gathers technical specs and OS details, and informs the XDDown/ XDSpy command-and-control (C2) server.
  • XDList hunts down files with specific file extensions (Office-related files, PDFs, and address books) in the infected machine.
  • XDMonitor monitors and identifies what devices were connected to the infected host.
  • XDUpload uploads files that are not identified by XDList, to the XDXpy server.
  • XDLoc gathers information about nearby WiFi networks to track users’ movements, using maps of public WiFi networks.
  • XDPass extracts passwords from locally installed browsers.

Impact

  1. Damage to the reputation as people lose confidence in the brand.
  2. Business disruption in terms of its income.
  3. Disclosure of PII and confidential documents.

Mitigation

  1. Training sessions for employees creating awareness regarding phishing scenarios.
  2. Deploy a spam filter.
  3. Deploy latest security patches and updates for systems.
  4. Use an antivirus software.
  5. Use web filters to block malicious websites.
  6. Encrypt all sensitive company information.

Indicators of Compromise

SHA1
  • 63B988D0869C6A099C7A57AAFEA612A90E30C10F
  • BB7A10F816D6FFFECB297D0BAE3BC2C0F2F2FFC6
  • AE34BEDBD39DA813E094E974A9E181A686D66069
  • B807756E9CD7D131BD42C2F681878C7855063FE2
C&C Servers
Old network infrastructure