|Type your keyword...|Col2| |---|---| # Espionage toolkit targeting Central and Eastern Europe uncovered **[BY TOMÁŠ GARDOŇ POSTED 1 JUL 2016 - 11:30AM](http://www.welivesecurity.com/author/tgardon/)** **[MALWARE](http://www.welivesecurity.com/category/malware/)** **Over the course of the last year, ESET has detected and analyzed several instances of malware used for** **targeted espionage – dubbed SBDH toolkit. Using powerful filters, various methods of communication�** ----- **Central and Eastern Europe. ESET s SBDH findings were presented during the �Copenhagen Cybercrime** **Conference 2016 by researchers Tomáš Gardoň and Robert Lipovský.** **This toolkit – actually only its initial part – was spreading as an executable with a double extension attached** **to a phishing email (counting on Windows’ default behavior of hiding an extension). To further increase its** **chances of being run by the receiver, it uses legitimate looking icons of several Microsoft applications or a** **Word document.** ----- **Upon successful execution, the malware contacts a remote location in order to download two other main** **components of the toolkit: a backdoor and a data stealer. The combination of these modules provides the** **attacker not only with full remote control of the compromised computer, but also with an advanced method** **of data exfiltration.�** **Thanks to powerful filters the operator can specify in great detail which data should be exfiltrated, using�** **conditions such as file extension, date of creation, file size and others. These can be modified via the�** **malware configuration files.�** ----- **depends heavily on handling network communication.** **To increase its chances, it uses multiple methods for connection. First it attempts to use HTTP protocol. If** **that fails, the SBDH malware opts for a second method and tries to communicate via SMTP protocol using** **a free external gateway.** **As a last resort, it has the capability to communicate by injecting specially crafted emails into Microsoft** **Outlook Express. This way, injected emails were sent under the account of the currently logged user,** **allowing the malware to bypass security measures (assuming the user had rights to send and receive** **emails). These malicious messages created by the malware were then placed directly in a victim’s outbox,** **to avoid their attention.** **In cases of incoming communication, the malware searched the victim’s inbox in order to identify emails** **received with a specific subject. If the toolkit found such emails, they were parsed and checked for�** **malware commands. Finally, the subjects of these emails were changed to prevent any further examination** **by the malware.** **However, this last option was only used up until 2006, when Outlook Express was replaced by the newer** **Windows Mail application. Since then, the developers of this toolkit have increasingly focused on** **improving the HTTP communication method and started camouflaging communications with the C&C�** **server by using fake image files (.JPG, .GIF) to carry the data.�** **In case of the C&C server’s unavailability, the backdoor component had yet another “backup solution” – a** **hard-coded URL pointing to a fake image (hosted on a free blog webpage) that contained the address of an** **alternative C&C server.** ----- **Some of the analyzed samples of this component implemented an interesting persistence method; the** **malware was replacing the handler for Word documents. It means, whenever the infected system tries to** **open/edit a Word document, the malware gets executed.** **Last but not least, if you are asking yourself where the name of the toolkit comes from, the “SBDH” string** **found in compilation paths of its downloader and – more interestingly – the string “B64SBDH”, acts as a** **trigger to download its remaining components from a remote server.** **Using similar techniques as the malware in** **[Operation Buhtrap, the SBDH espionage toolkit proves that](http://www.welivesecurity.com/2015/04/09/operation-buhtrap/)** **even advanced threats are still being spread via simple vectors, such as malicious email attachments. Yet,** **such risks can be spotted by properly trained staff in organizations and further mitigated by implementing a�** ----- **Hashes:** **1345b6189441cd1ed9036ef098adf12746ecf7cb** **15b956feee0fa42f89c67ca568a182c348e20ead** **f2a1e4b58c9449776bd69f62a8f2ba7a72580da2** **7f32cae8d6821fd50de571c40a8342acaf858541** **5DDBDD3CF632F7325D6C261BCC516627D772381A** **4B94E8A10C5BCA43797283ECD24DF24421E411D2** **D2E9EB26F3212D96E341E4CBA7483EF46DF8A1BE** **09C56B14DB3785033C8FDEC41F7EA9497350EDAE** **30** **LikeLike** **[Whats app](whatsapp://send?text=http://www.welivesecurity.com/2016/07/01/espionage-toolkit-targeting-central-eastern-europe-uncovered/)** ### You might also be interested in: **LikeLike** **Malicious scripts in compromised websites and how to protect** **yourself** **30** **[Nemucod ups its game](http://www.welivesecurity.com/2016/06/16/nemucod-ups-its-game/)** **[Infrastructure attacks: The next generation](http://www.welivesecurity.com/2016/06/07/infrastructure-attacks-next-generation/)** ----- **Another malware wave hits Europe, mainly downloading Locky** **ransomware** **Recommend** **Share** **Sort by Best** ## Start the discussion… **Email...** **[About Us](http://www.welivesecurity.com/about-us/)** **Submit** ----- **[How To](http://www.welivesecurity.com/category/how-to/)** **[Expert Opinion](http://www.welivesecurity.com/category/opinion-2/)** **[Videos](http://www.welivesecurity.com/media/videos/)** **[Papers](http://www.welivesecurity.com/papers/conference-papers/)** **[Our Experts](http://www.welivesecurity.com/our-experts/)** **[Virus Radar](http://www.virusradar.com/)** **[Sitemap](http://www.welivesecurity.com/sitemap/)** **[Privacy](http://www.welivesecurity.com/privacy/)** **[Legal Information](http://www.welivesecurity.com/legal-information/)** **COPYRIGHT © 2016 ESET, ALL RIGHTS RESERVED.** -----