July 6, 2016
Recently, the security company ESET has revealed an espionage toolkit called SBDH, used in espionage campaigns to target government organizations in Europe. Infections have been spotted in many countries, including the Czech Republic, Hungary, Poland and Slovakia, and Ukraine.
The main purpose of SBDH toolkit was to steal sensitive data from victim’s computers. The ESET experts have already detected other sample of the toolkit during the past year, which hackers exploited in attacks against government and public institutions. The attackers targeted organizations that specialize in economic growth and cooperation.
“Over the course of the last year, ESET has detected and analyzed several instances of malware used for targeted espionage – dubbed SBDH toolkit. Using powerful filters, various methods of communication with its operators and an interesting persistence technique, it aims to exfiltrate selected files from governmental and public institutions, which are mostly focused on economic growth and cooperation in Central and Eastern Europe.” ESET reported.
The hackers used to deliver the SBDH downloader via spear phishing emails. Despite being created to appear as a legitimate Microsoft application, once executed, SBDH starts the attack by downloading the toolkit components, an information stealer, and a backdoor, from the C&C server.
The cyber espionage toolkit uses various methods for connecting the remote server. First, it attempts to use the HTTP protocol. In case of failure, the toolkit tries to communicate via SMTP protocol using a free external gateway. Older variants of the same malware were also able to communicate by using Microsoft Outlook Express if the other methods failed. Using emails through the victim’s account allows the cyber espionage tools to bypass the security measures.