• Latest
  • Trending
Attackers Use Backdoor and RAT Cocktail to Target the Balkans

Attackers Use Backdoor and RAT Cocktail to Target the Balkans

August 15, 2019
Albanian Opposition Supports Government Earthquake Relief Efforts

Albanian Opposition Supports Government Earthquake Relief Efforts

December 3, 2019
IDF sends aid mission to earthquake-stricken Albania

IDF sends aid mission to earthquake-stricken Albania

December 3, 2019
Albania: Future uncertain for thousands of earthquake homeless

Albania: Future uncertain for thousands of earthquake homeless

December 3, 2019
YMCA Kosovo support Albanian families after deadly earthquake

YMCA Kosovo support Albanian families after deadly earthquake

December 1, 2019
Number of human trafficking cases dramatically increase in Belgium

Number of human trafficking cases dramatically increase in Belgium

December 1, 2019
EU mobilises emergency support to Albania after deadly earthquake

EU mobilises emergency support to Albania after deadly earthquake

December 1, 2019
Albania earthquake: Rescue efforts wind down

Albania earthquake: Rescue efforts wind down

November 30, 2019
Mayor Veliaj Uses Earthquake as Propaganda Opportunity

Mayor Veliaj Uses Earthquake as Propaganda Opportunity

November 30, 2019
Four Thousand Albanians Made Homeless after Devastating Earthquake

Four Thousand Albanians Made Homeless after Devastating Earthquake

November 29, 2019
Rama Announces Dubious Anti-corruption Legislation

Rama Announces Dubious Anti-corruption Legislation

November 29, 2019
Reports of Aid Being Refused in Camps, Arrests For Misapropriation

Reports of Aid Being Refused in Camps, Arrests For Misapropriation

November 29, 2019
Fear, evacuations and introspection in Albania after deadly quake

Fear, evacuations and introspection in Albania after deadly quake

November 29, 2019
Saturday, April 17, 2021
Tirana Chronicle
No Result
View All Result
  • Albanian News
  • World News
    • Africa
    • Asia
      • China
      • North Korea
    • Canada
    • Europe
    • Latin America
      • Mexico
    • Middle East
    • Russian Federation
    • United Kingdom
    • United States
  • National Security
    • Military
    • Politics
    • Terrorism
  • Business
    • Economy
    • Science
  • Sports
    • Soccer
    • Tennis
    • Olympics
  • Culture
    • Art
    • Books & Literature
    • Education
    • Family
    • Food & Drink
    • Health
    • History
  • Environment
    • Agriculture
    • Climate Change
    • Forests
  • Albanian News
  • World News
    • Africa
    • Asia
      • China
      • North Korea
    • Canada
    • Europe
    • Latin America
      • Mexico
    • Middle East
    • Russian Federation
    • United Kingdom
    • United States
  • National Security
    • Military
    • Politics
    • Terrorism
  • Business
    • Economy
    • Science
  • Sports
    • Soccer
    • Tennis
    • Olympics
  • Culture
    • Art
    • Books & Literature
    • Education
    • Family
    • Food & Drink
    • Health
    • History
  • Environment
    • Agriculture
    • Climate Change
    • Forests
No Result
View All Result
Tirana Chronicle
No Result
View All Result

Attackers Use Backdoor and RAT Cocktail to Target the Balkans

August 15, 2019
in Balkans, Featured, National Security, Tech
0
Home World News Europe Balkans
Post Views: 7

RelatedPosts

No Content Available

 

Several countries have been targeted by a long-term campaign operated by financially motivated threat actors who used a backdoor and a remote access Trojan (RAT) malicious combo to take control of infected computers.

The two malicious payloads dubbed BalkanDoor and BalkanRAT by the ESET researchers who spotted them have been previously detected in the wild by the Croatian CERT in 2017 and, even earlier, by a Serbian security outfit in 2016.

However, ESET was the first to make the connection between them, after observing several quite significant overlaps in the entities targeted by their operators, as well as Tactics, Techniques, and Procedures (TTP) similarities.

Financially-motivated campaign

The malware cocktail is dropped on the victims’ computers via malspam emails linking to malicious files. Once infected, the attackers can gain full control of the compromised hosts, either via command line with the help of the BalkanDoor payload or via a graphical interface with the help of BalkanRAT.

“This rather uncommon setup makes it possible for attackers to choose the most suitable method to instruct the computer to perform operations of their choice,” adds ESET.

The hackers behind this campaign have been observed while attacking entities from Croatia, Serbia, Montenegro, and Bosnia and Herzegovina.

Also, they are financially motivated based on the obvious focus of the spam emails which delivered various types of tax document attachments and the fact that their targets all seem to be part of the organizations’ financial departments.

The malspam emails delivered to the victims used domains designed to impersonate legitimate websites from the targets’ countries to host their malicious payloads, with the domains ranging from tax administration and ministries of finance sites to ones that were supposedly hosting the country’s chamber of commerce.

ESET found that this campaign has been active since at least 2016 based on internal telemetry data, while the most recent BalkanDoor and BalkanRAT samples have been detected in July.

While the BalkanDoor backdoor malware does not come with an exfiltration channel to send collected data to its masters, BalkanRAT was observed by ESET “dropping a tool that can list available smart cards, via the SCardListReadersA/ SCardConnectA API functions.”

“Smart cards are usually issued by banks or governments for confirmation of the holder’s identity. If misused, smart cards can facilitate illegal/fraudulent activities, e.g. digitally signing a contract, validating a money transaction etc,” explains ESET’s report.

The two malicious payloads

Even though the BalkanDoor malware comes with limited functionality seeing that it supports a limited number of commands, the researchers have observed multiple variants since 2016, all of them featuring a different combo of capabilities which would allow them to create remote shells, to take screenshots, to unlock the victim’s screen without needing a password, or to download more payloads on the infected.

The backdoor is dropped on the targets’ systems via the malspam campaign (sometimes using decoy PDFs) which will drop the BalkanDoor payload and gain persistence with the help of a malicious script that will add new Registry keys and Startup entries.

Once it launches on the infected machines, the malware connects to one of several command and control (C2) centers stored within a hardcoded list and waits for commands from its masters. The attackers have the choice of controlling multiple compromised computers at once using INI files containing the list of machines supposed to run a specific set of commands.

The BalkanRAT remote access Trojan is a more capable piece of malware as ESET found, with the RAT dropping the Remote Utilities software on the compromised computers, a legitimate remote administration tool which will enable the attackers to remotely control their victims’ machines.

To conceal the dropped remote admin tool and avoid being detected by the user, BalkanRAT “can add exceptions to the firewall, hide the RDS’s window and its tray icon, and hide the presence of related processes in the task manager.”

This malware’s core component allows its masters to perform several tasks on the victim’s computer, from installing the BalkanRAT payload and injecting a userland rootkit to conceal the malicious processes it spawns to adding the firewall exceptions designed to help hide the remote admin tool.

“Since the tool BalkanRAT misuses is legitimate, it leverages the genuine Remote Utilities’ infrastructure for this communication (rutils.com, server.rutils.com); due to this, the communication may seem legitimate to the user – and to security products,” adds ESET.

While the RAT will most times hide only the processes used to perform its tasks, the researchers have also observed it hiding processes spawned by the BalkanDoor backdoor, a fact which further reinforces the connection between the two malware strains.

The campaign that targeted the financial staff of organizations from Croatia, Serbia, Montenegro, and Bosnia and Herzegovina during the last three years was also seen targeting Ukrainian notaries, allowing the attackers to misuse the notaries’ compromised computing systems to perform illegal operations in their name.

“Just as attackers may confirm a fraudulent transaction on behalf of a notary, they may perform a fraudulent transaction while impersonating a manager in a company’s financial department,” concludes ESET.

A list of BalkanDoor and BalkanRAT malware sample SHA-1 hashes are provided by the researchers at the end of their report, together with C2 server domains used in this campaign and MITRE ATT&CK techniques matrices for both malware strains.

Source :
Bleeping Computer
Tags: BackdoorMalwareRATRemote Access Trojan
ShareTweetShare

Related Posts

Albanian Opposition Supports Government Earthquake Relief Efforts
Albanian News

Albanian Opposition Supports Government Earthquake Relief Efforts

December 3, 2019
IDF sends aid mission to earthquake-stricken Albania
Albanian News

IDF sends aid mission to earthquake-stricken Albania

December 3, 2019
Albania: Future uncertain for thousands of earthquake homeless
Albanian News

Albania: Future uncertain for thousands of earthquake homeless

December 3, 2019
YMCA Kosovo support Albanian families after deadly earthquake
Albanian News

YMCA Kosovo support Albanian families after deadly earthquake

December 1, 2019
Number of human trafficking cases dramatically increase in Belgium
Albanian News

Number of human trafficking cases dramatically increase in Belgium

December 1, 2019
Next Post
Turkish drones start operating in northern Syria -ministry

Turkish drones start operating in northern Syria -ministry

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

4 × four =

Translate

Popular Post

Albanian Opposition Supports Government Earthquake Relief Efforts
Albanian News

Albanian Opposition Supports Government Earthquake Relief Efforts

December 3, 2019
0

  Democratic Party leader Lulzim Basha stated the opposition supports the government in its efforts to help citizens affected by...

Read more
Albania government denies links to organised crime

Albania government denies links to organised crime

May 30, 2019
The Brief: Western Balkans – a test for the EU’s expansion appetite

The Brief: Western Balkans – a test for the EU’s expansion appetite

May 31, 2019
Armaldo Kllogjeri to hold recital at Tirana’s Amphitheatre

Armaldo Kllogjeri to hold recital at Tirana’s Amphitheatre

May 31, 2019
Abu Sayyaf’s Dutch hostage killed in firefight in Sulu

Abu Sayyaf’s Dutch hostage killed in firefight in Sulu

June 1, 2019
  • About Us
  • Creative Commons
  • Disclaimer
  • Privacy Policy
  • Terms & Conditions
  • Contact Us

Topics

Follow Us

About Us

Tiranachronicle.com is part of Tirana Chronicle Media Group LLC, which delivers daily news around the globe.

© 2011 Tirana Chronicle

No Result
View All Result
  • Albanian News
  • World News
    • Africa
    • Asia
      • China
      • North Korea
    • Canada
    • Europe
    • Latin America
      • Mexico
    • Middle East
    • Russian Federation
    • United Kingdom
    • United States
  • National Security
    • Military
    • Politics
    • Terrorism
  • Business
    • Economy
    • Science
  • Sports
    • Soccer
    • Tennis
    • Olympics
  • Culture
    • Art
    • Books & Literature
    • Education
    • Family
    • Food & Drink
    • Health
    • History
  • Environment
    • Agriculture
    • Climate Change
    • Forests

© 2011 Tirana Chronicle