Recently, the security company ESET has revealed an espionage toolkit called SBDH, used in espionage campaigns to target government organizations in Europe. Infections have been spotted in many countries, including the Czech Republic, Hungary, Poland and Slovakia, and Ukraine.
The main purpose of SBDH toolkit was to steal sensitive data from victim’s computers. The ESET experts have already detected other sample of the toolkit during the past year, which hackers exploited in attacks against government and public institutions. The attackers targeted organizations that specialize in economic growth and cooperation.
“Over the course of the last year, ESET has detected and analyzed several instances of malware used for targeted espionage – dubbed SBDH toolkit. Using powerful filters, various methods of communication with its operators and an interesting persistence technique, it aims to exfiltrate selected files from governmental and public institutions, which are mostly focused on economic growth and cooperation in Central and Eastern Europe.” ESET reported.
The hackers used to deliver the SBDH downloader via spear phishing emails. Despite being created to appear as a legitimate Microsoft application, once executed, SBDH starts the attack by downloading the toolkit components, an information stealer, and a backdoor, from the C&C server.
The cyber espionage toolkit uses various methods for connecting the remote server. First, it attempts to use the HTTP protocol. In case of failure, the toolkit tries to communicate via SMTP protocol using a free external gateway. Older variants of the same malware were also able to communicate by using Microsoft Outlook Express if the other methods failed. Using emails through the victim’s account allows the cyber espionage tools to bypass the security measures.
According to the security experts, the recent versions of the SBDH toolkit have been improving HTTP communications by disguising the malicious traffic using fake JPEG and GIF image files. In case the C&C server is not available, the backdoor component uses a hard-coded URL pointing to a fake image that is hosted on a free blog webpage and contains the address of an alternative C&C server. A researcher even noticed that the SBDH toolkit allows attackers to discriminate the exact type of files to steal.
Some of the samples analyzed by the ESET experts implemented an interesting persistence method by replacing the handler for Word documents. Every time the victims open a Word document, the malware gets executed. In addition, the security researchers found many similarities of the SBDH toolkit with malicious codes used by threat actors behind the Operation Buhtrap group – cyber criminals targeting Russian banks.