Hacker Group XDSpy Distributes Malware in Russia under the Guise of Subpoenas for the Army

XDSpy hacker group

In early October, Kaspersky Lab experts recorded a targeted attack on Russian organizations: attackers from the XDSpy hacker group sent several hundred malicious emails allegedly related to the topic of the so-called “partial mobilization”.

Recall that dictator Vladimir Putin in September announced the mobilization into the armed forces of Russia against the backdrop of a series of defeats during the aggression against Ukraine.

partial mobilization
“Partial mobilization” in Russia

And we also note that Kaspersky Lab may well be connected with the Russian intelligence, therefore we do not recommend treating information from this company with full confidence, and we also do not recommend using the company’s products.

Let me remind you that we wrote that Cisco Hack Is Linked to Russian-Speaking Hackers from Evil Corp, and also that State Department Offers $1 million for Info on Russian Hackers.

Researchers write that in the first working week of October they discovered the distribution of malicious emails. These messages said that due to the refuse to receive summons for the conscription, the person was called to urgently appear at the appointed place and time. More detailed information is allegedly indicated in the agenda in PDF format, which must be downloaded from the link.

The letter is carefully prepared and looks believable: it contains references to the articles of the Criminal Code of the Russian Federation, the heraldry and style of the relevant department. In the text, the perpetrators threaten the victims with possible fines and criminal liability.

The link to the fake summons leads to an archive with an executable script with the WSF extension. If you open the file, it will fake download and display in the browser a PDF document that mimics the scanned agenda, but in parallel will create the AnalysisLinkManager.exe file in the temporary folder and run it.

It is noted that the malware and techniques used have many similarities with the tools of the XDSpy hack group. In particular, the source code of the malicious WSF script and the launch methods, as well as partially the names of the files, coincide with the versions of previous years.

The goals of XDSpy grouping are espionage, theft of documents and other files, as well as data for accessing corporate mailboxes.

This campaign uses a number of techniques that allow attackers to penetrate and gain a foothold in the system as targeted phishing mailings, imitation of letters from regulators, using the current news agenda, displaying the image that the user expects. This is traditional for XDSpy.comments Andrey Kovtun, Head of the Mail Threat Protection Group at Kaspersky Lab.

We also recall that the best way to survive for Russian soldiers and conscripts who have received a real summons and got into the territory of Ukraine is to surrender to the Ukrainian armed forces.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *