Espionage SBDH Toolkit used to target European Countries

ESET security firm has uncovered an espionage toolkit dubbed SBDH that was used in espionage campaigns targeting government organizations in Europe.

Security experts from ESET security firm have spotted an espionage toolkit dubbed SBDH that was used by threat actors in hacking operations targeting government organizations in Europe.

The research observed infections in many countries, including the Czech Republic, Hungary, Poland and Slovakia, and Ukraine.

The SBDH toolkit was designed to steal sensitive data from victim’s machines, experts from ESET have already detected other sample of the toolkit over the past year, hackers exploited it in attacks against government and public institutions.

Threat actors targeted organizations focused that specialize in economic growth and cooperation.

“Over the course of the last year, ESET has detected and analyzed several instances of malware used for targeted espionage – dubbed SBDH toolkit. Using powerful filters, various methods of communication with its operators and an interesting persistence technique, it aims to exfiltrate selected files from governmental and public institutions, which are mostly focused on economic growth and cooperation in Central and Eastern Europe.” reported ESET in a blog post.

Attackers used to deliver the SBDH downloader via spear phishing emails, the threat is designed to appear as a legitimate Microsoft application, but once executed it starts the attack by downloading the toolkit components, an information stealer, and a backdoor, from the C&C server.

The cyber espionage toolkit uses multiple methods for connecting the remote server, it first attempts to use the HTTP protocol, in case of failure, it tries to communicate via SMTP protocol using a free external gateway. Older variants of the same malware were also able to communicate by using Microsoft Outlook Express if the other methods failed.

The trick of using emails through the victim’s account allows the cyber espionage tools to bypass security measures.

Experts explained that recent versions of the SBDH toolkit have been improving HTTP communications by disguising the malicious traffic using fake JPEG and GIF image files.

If the C&C server is not available, the backdoor component uses a hard-coded URL pointing to a fake image that is hosted on a free blog webpage and contains the address of an alternative C&C server.

Researcher notices that the SBDH toolkit allows attackers to discriminate the exact type of files to steal.

Some of the samples analyzed by the experts from ESET implemented an interesting persistence method by replacing the handler for Word documents. Everytime victims open a Word document executed the malware.

Malware experts from ESET found many similarities of the SBDH toolkit with malicious codes used by threat actors behind the Operation Buhtrap, a group of cybercriminals focused on Russian banks.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase