Attackers Use Backdoor And RAT Cocktail To Target The Balkans

By   ISBuzz Team
Writer , Information Security Buzz | Aug 16, 2019 02:20 am PST

Several countries have been targeted by a long-term campaign operated by financially motivated threat actors who used a backdoor and a remote access Trojan (RAT) malicious combo to take control of infected computers. The two malicious payloads dubbed BalkanDoor and BalkanRAT by the ESET researchers who spotted them have been previously detected in the wild by the Croatian CERT in 2017 and, even earlier, by a Serbian security outfit in 2016. However, ESET was the first to make the connection between them, after observing several quite significant overlaps in the entities targeted by their operators, as well as Tactics, Techniques, and Procedures (TTP) similarities.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Richard Bejtlich
Richard Bejtlich , Principal Security Strategist
August 16, 2019 10:25 am

Thanks to this ESET report, network defenders have a rich variety of network indicators of compromise (IOCs) which they could leverage against robust network security monitoring data collected by the Corelight sensor. For example, investigators could analyze domain names in DNS logs, certificate details in SSL/TLS logs, Web traffic in HTTP logs (as the intruders appeared to serve malicious PHP files over HTTP, not HTTPS), email addresses in messages, and transferred files, recovered by Corelight file extraction system. Corelight did not need previous knowledge of this activity in order to provide it to defenders. Rather, Corelight is always collecting these and other foundational NSM elements, and is ready to help security teams decide if they are affected by ESET\’s discovery.

Last edited 4 years ago by Richard Bejtlich

Recent Posts

Would love your thoughts, please comment.x