ESET security firm has uncovered an espionage toolkit dubbed SBDH that was used in espionage campaigns targeting government organizations in Europe.

Security experts from ESET security firm have spotted an espionage toolkit dubbed SBDH that was used by threat actors in hacking operations targeting government organizations in Europe.

The research observed infections in many countries, including the Czech Republic, Hungary, Poland and Slovakia, and Ukraine.

The SBDH toolkit was designed to steal sensitive data from victim’s machines, experts from ESET have already detected other sample of the toolkit over the past year, hackers exploited it in attacks against government and public institutions.

Threat actors targeted organizations focused that specialize in economic growth and cooperation.

“Over the course of the last year, ESET has detected and analyzed several instances of malware used for targeted espionage – dubbed SBDH toolkit. Using powerful filters, various methods of communication with its operators and an interesting persistence technique, it aims to exfiltrate selected files from governmental and public institutions, which are mostly focused on economic growth and cooperation in Central and Eastern Europe.” reported ESET in a blog post.

Attackers used to deliver the SBDH downloader via spear phishing emails, the threat is designed to appear as a legitimate Microsoft application, but once executed it starts the attack by downloading the toolkit components, an information stealer, and a backdoor, from the C&C server.

The cyber espionage toolkit uses multiple methods for connecting the remote server, it first attempts to use the HTTP protocol, in case of failure, it tries to communicate via SMTP protocol using a free external gateway. Older variants of the same malware were also able to communicate by using Microsoft Outlook Express if the other methods failed.

The trick of using emails through the victim’s account allows the cyber espionage tools to bypass security measures.

Experts explained that recent versions of the SBDH toolkit have been improving HTTP communications by disguising the malicious traffic using fake JPEG and GIF image files.

If the C&C server is not available, the backdoor component uses a hard-coded URL pointing to a fake image that is hosted on a free blog webpage and contains the address of an alternative C&C server.

Researcher notices that the SBDH toolkit allows attackers to discriminate the exact type of files to steal.

Some of the samples analyzed by the experts from ESET implemented an interesting persistence method by replacing the handler for Word documents. Everytime victims open a Word document executed the malware.

Malware experts from ESET found many similarities of the SBDH toolkit with malicious codes used by threat actors behind the Operation Buhtrap, a group of cybercriminals focused on Russian banks.

Pierluigi Paganini