Attackers Use Backdoor And RAT Cocktail To Target The Balkans

Several countries have been targeted by a long-term campaign operated by financially motivated threat actors who used a backdoor and a remote access Trojan (RAT) malicious combo to take control of infected computers. The two malicious payloads dubbed BalkanDoor and BalkanRAT by the ESET researchers who spotted them have been previously detected in the wild by the Croatian CERT in 2017 and, even earlier, by a Serbian security outfit in 2016. However, ESET was the first to make the connection between them, after observing several quite significant overlaps in the entities targeted by their operators, as well as Tactics, Techniques, and Procedures (TTP) similarities.

Experts Comments

August 16, 2019
Richard Bejtlich
Principal Security Strategist
Corelight
Thanks to this ESET report, network defenders have a rich variety of network indicators of compromise (IOCs) which they could leverage against robust network security monitoring data collected by the Corelight sensor. For example, investigators could analyze domain names in DNS logs, certificate details in SSL/TLS logs, Web traffic in HTTP logs (as the intruders appeared to serve malicious PHP files over HTTP, not HTTPS), email addresses in messages, and transferred files, recovered by.....Read More
Thanks to this ESET report, network defenders have a rich variety of network indicators of compromise (IOCs) which they could leverage against robust network security monitoring data collected by the Corelight sensor. For example, investigators could analyze domain names in DNS logs, certificate details in SSL/TLS logs, Web traffic in HTTP logs (as the intruders appeared to serve malicious PHP files over HTTP, not HTTPS), email addresses in messages, and transferred files, recovered by Corelight file extraction system. Corelight did not need previous knowledge of this activity in order to provide it to defenders. Rather, Corelight is always collecting these and other foundational NSM elements, and is ready to help security teams decide if they are affected by ESET's discovery.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.