Multiple Windows LNK files have been used by the XDSpy cyberespionage operation to compromise Eastern European government organizations with the XDigo malware in March, The Hacker News reports.
Attacks involved the distribution of nine LNK files exploiting the flaw, tracked as ZDI-CAN-25373, within ZIP archives featuring another ZIP archive with a PDF bait, a rogue DLL, and a renamed legitimate executable, an analysis from French cybersecurity firm HarfangLab showed. XDSpy leverages the ETDownloader DLL to launch XDigo, which not only facilitates file and clipboard content compromise but also screenshot capturing and remote server command or binary execution, according to researchers, who observed malware artifacts in Russian financial and retail entities. "XDSpy's focus is also demonstrated by its customized evasion capabilities, as their malware was reported as the first malware attempting to evade detection from PT Security's Sandbox solution, a Russian cybersecurity company providing service to public and financial organizations in the Russian Federation," researchers added.
Attacks involved the distribution of nine LNK files exploiting the flaw, tracked as ZDI-CAN-25373, within ZIP archives featuring another ZIP archive with a PDF bait, a rogue DLL, and a renamed legitimate executable, an analysis from French cybersecurity firm HarfangLab showed. XDSpy leverages the ETDownloader DLL to launch XDigo, which not only facilitates file and clipboard content compromise but also screenshot capturing and remote server command or binary execution, according to researchers, who observed malware artifacts in Russian financial and retail entities. "XDSpy's focus is also demonstrated by its customized evasion capabilities, as their malware was reported as the first malware attempting to evade detection from PT Security's Sandbox solution, a Russian cybersecurity company providing service to public and financial organizations in the Russian Federation," researchers added.
