ESET researchers discovered a campaign that uses
two malicious tools with similar capabilities to ensure both resilience and
broader potential for the attackers.
We’ve discovered an ongoing campaign in the Balkans
spreading two tools having a similar purpose: a backdoor and a remote access Trojan
we named, respectively, BalkanDoor and BalkanRAT.
BalkanRAT enables the attacker to remotely control
the compromised computer via a graphical interface, i.e., manually; BalkanDoor
enables them to remotely control the compromised computer via a command line,
i.e., possibly en masse. ESET security products detect these
threats as Win{32,64}/BalkanRAT and Win32/BalkanDoor.
A typical victim of this campaign, which uses
malicious emails as its spreading mechanism, ends up having both these tools
deployed on their computer, each of them capable of fully controlling the
affected machine. This rather uncommon setup makes it possible for attackers to
choose the most suitable method to instruct the computer to perform operations
of their choice.
The campaign’s overarching theme is taxes. With the
contents of the emails, included links and decoy PDFs all involving taxes, the
attackers are apparently targeting the financial departments of organizations
in the Balkans region. Thus, although backdoors and other tools for remote
access are often used for espionage, we believe that this particular campaign
is financially motivated.
The campaign has been active at least from January
2016 to the time of writing (the most recent detections in our telemetry are
from July 2019). Some parts of the campaign were briefly described by a Serbian security provider in 2016 and the Croatian CERT in
2017. Each of these sources focused only on one of the two tools and only on a
single country. However, our research shows that there is a significant overlap
in targets and also in the attackers’ tactics, techniques and procedures.
Our findings show that the mentioned attacks have
been orchestrated and we consider them a single long-term campaign that spans
Croatia, Serbia, Montenegro, and Bosnia and Herzegovina.
Our research has also shed more light at the
malware used in this campaign and provided some context. We’ve discovered a new
version of BalkanDoor with a new method for execution/installation: an exploit
of the WinRAR ACE vulnerability (CVE-2018-20250). Further, we’ve seen both malicious tools digitally signed with
various certificates the developers paid for to add perceived legitimacy. One
of them, issued to SLOW BEER LTD, was even valid at the time of writing; we’ve
notified the issuer about the misuse and they revoked the certificate.
In this article, we will describe some notable
features of both BalkanDoor and BalkanRAT. Our analysis shows that the former
runs as a Windows service, which allows it to unlock the Windows logon screen
remotely and without the password or start a process with the highest possible
privileges. The latter misuses a legitimate remote desktop software (RDS)
product and uses extra tools and scripts to hide its presence from the victim,
such as hiding the window, tray icon, process and so on.
Targets
and distribution
Both BalkanRAT and BalkanDoor spread in Croatia,
Serbia, Montenegro, and Bosnia and Herzegovina. (These countries, along with
Slovenia and former Macedonia, formed the country of Yugoslavia until 1992.)
Find the complete article on: