In the Balkans, businesses are under fire from a double-barreled weapon

ESET researchers discovered a campaign that uses two malicious tools with similar capabilities to ensure both resilience and broader potential for the attackers.

We’ve discovered an ongoing campaign in the Balkans spreading two tools having a similar purpose: a backdoor and a remote access Trojan we named, respectively, BalkanDoor and BalkanRAT.

BalkanRAT enables the attacker to remotely control the compromised computer via a graphical interface, i.e., manually; BalkanDoor enables them to remotely control the compromised computer via a command line, i.e., possibly en masse. ESET security products detect these threats as Win{32,64}/BalkanRAT and Win32/BalkanDoor.

A typical victim of this campaign, which uses malicious emails as its spreading mechanism, ends up having both these tools deployed on their computer, each of them capable of fully controlling the affected machine. This rather uncommon setup makes it possible for attackers to choose the most suitable method to instruct the computer to perform operations of their choice.

The campaign’s overarching theme is taxes. With the contents of the emails, included links and decoy PDFs all involving taxes, the attackers are apparently targeting the financial departments of organizations in the Balkans region. Thus, although backdoors and other tools for remote access are often used for espionage, we believe that this particular campaign is financially motivated.

The campaign has been active at least from January 2016 to the time of writing (the most recent detections in our telemetry are from July 2019). Some parts of the campaign were briefly described by a Serbian security provider in 2016 and the Croatian CERT in 2017. Each of these sources focused only on one of the two tools and only on a single country. However, our research shows that there is a significant overlap in targets and also in the attackers’ tactics, techniques and procedures.

Our findings show that the mentioned attacks have been orchestrated and we consider them a single long-term campaign that spans Croatia, Serbia, Montenegro, and Bosnia and Herzegovina.

Our research has also shed more light at the malware used in this campaign and provided some context. We’ve discovered a new version of BalkanDoor with a new method for execution/installation: an exploit of the WinRAR ACE vulnerability (CVE-2018-20250). Further, we’ve seen both malicious tools digitally signed with various certificates the developers paid for to add perceived legitimacy. One of them, issued to SLOW BEER LTD, was even valid at the time of writing; we’ve notified the issuer about the misuse and they revoked the certificate.

In this article, we will describe some notable features of both BalkanDoor and BalkanRAT. Our analysis shows that the former runs as a Windows service, which allows it to unlock the Windows logon screen remotely and without the password or start a process with the highest possible privileges. The latter misuses a legitimate remote desktop software (RDS) product and uses extra tools and scripts to hide its presence from the victim, such as hiding the window, tray icon, process and so on.

Targets and distribution

Both BalkanRAT and BalkanDoor spread in Croatia, Serbia, Montenegro, and Bosnia and Herzegovina. (These countries, along with Slovenia and former Macedonia, formed the country of Yugoslavia until 1992.)

Find the complete article on:

https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

#MissionChampion: ESET becomes Champion Partner of top German Bundesliga team, Borussia Dortmund

Leading European IT security vendor joins BVB defense

ESET, a cybersecurity vendor with its headquarters in Bratislava, Slovakia is the new Champion Partner of the Borussia Dortmund (BVB) football club – the highest possible level of partnership. Sponsoring and cooperation plans are long-term and will last for the next three seasons of the Bundesliga, the top tier league of German football. ESET will be supporting the fans of the eight-time German Champion with activities and initiatives at all 17 home matches in the Bundesliga.

“Borussia Dortmund is one of the most popular and well-liked teams in European club football,” happily noted Richard Marko, CEO of ESET. “Just like BVB, ESET is also passionate and dedicated towards its fans. That’s why sponsoring Borussia Dortmund is an ideal place to meet so many enthusiastic supporters who want to enjoy great football whether that’s on the field or while staying cyber safe and streaming online .”

Hans-Joachim Watzke, CEO of Borussia Dortmund, also announced: “ESET and Borussia Dortmund are united by their international appeal. Here, two brands popular in their respective backgrounds meet. ESET stands for exactly those values that BVB embodies: reliability, passion, courage and integrity. From the very beginning our meetings were characterized by focus and mutual trust. We are very happy to welcome ESET to our team of Champion Partners.”

True love meets true security

The Internet has significantly changed the way people experience their lives, and football is no exception. ESET joining forces with BVB brings the worlds of football and internet safety closer. This is especially important to the new spectrum of possibilities and activities like streaming matches on the go, connecting with fellow fans abroad, or hunting for rare collectables which have become a massive part of fandom and the game itself.

Activities for fans throughout the season

Fans can expect great activities during BVB matches surrounding the topic of “cybersecurity and soccer” both online and offline. So, let’s cheer on the black and yellow this August 17 as they battle for a home victory against Augsburg.