Several countries have been targeted by a long-term campaign operated by financially motivated threat actors who used a backdoor and a remote access Trojan (RAT) malicious combo to take control of infected computers. The two malicious payloads dubbed BalkanDoor and BalkanRAT by the ESET researchers who spotted them have been previously detected in the wild by the Croatian CERT in 2017 and, even earlier, by a Serbian security outfit in 2016. However, ESET was the first to make the connection between them, after observing several quite significant overlaps in the entities targeted by their operators, as well as Tactics, Techniques, and Procedures (TTP) similarities.
Thanks to this ESET report, network defenders have a rich variety of network indicators of compromise (IOCs) which they could leverage against robust network security monitoring data collected by the Corelight sensor. For example, investigators could analyze domain names in DNS logs, certificate details in SSL/TLS logs, Web traffic in HTTP logs (as the intruders appeared to serve malicious PHP files over HTTP, not HTTPS), email addresses in messages, and transferred files, recovered by Corelight file extraction system. Corelight did not need previous knowledge of this activity in order to provide it to defenders. Rather, Corelight is always collecting these and other foundational NSM elements, and is ready to help security teams decide if they are affected by ESET\’s discovery.