Press Center

ESET researchers uncover a campaign that uses two similar tools, a backdoor and a Remote Access Trojan, with an eye to financial gain

BRATISLAVA - ESET researchers have discovered a malicious campaign that has been underway since 2016 in four countries of the European Balkan region: Serbia, Croatia, Montenegro, and Bosnia and Herzegovina. The victims of this attack were financial departments of businesses.

The attackers use malicious emails with links leading to a malicious file as a spreading mechanism. “As the contents of the emails, including links and decoy PDFs, all revolve around taxes, the attackers are apparently targeting accountants in organizations within the region. Therefore, we believe that this campaign is financially motivated,” comments Zuzana Hromcová, ESET Researcher who conducted the investigation.

ESET researchers have uncovered two malicious tools that are instrumental to the campaign. The first tool is a backdoor, the second a Remote Access Trojan. ESET has named these tools BalkanDoor and BalkanRAT, respectively. “A typical victim of this campaign ends up having both these tools deployed on their computer, each of them capable of fully controlling the affected machine,” says Zuzana Hromcová.

This rather uncommon “two-tool” setup makes it possible for attackers to choose the most suitable method of controlling the affected computers. “BalkanRAT enables the attackers to remotely control the compromised computer manually, via a graphical interface. BalkanDoor enables them to remotely control the compromised computer via a command line, possibly en masse,” explains Zuzana Hromcová. ESET’s analysis of these malicious tools unveiled a number of notable features.

BalkanDoor, an otherwise simple backdoor, is capable of passwordless screen-unlocking, which is useful to the attackers in cases when a logged-in user locks their computer. Most recent samples of BalkanDoor leverage an exploit of a WinRAR ACE vulnerability, which allows the malware to be executed and installed even without the user executing any file.

BalkanRAT, on the other hand, misuses a legitimate commercial remote desktop software that can monitor the victim’s activity and manually control the computer. It also uses extra tools and scripts to hide its presence from the victim, such as hiding the window, the tray icon, and its processes.  Both BalkanDoor and BalkanRAT come digitally signed. “We have seen various certificates; one of them was even valid at the time of writing and has been revoked upon our notice,” concludes Hromcová.

ESET security products detect these threats as Win{32,64}/BalkanRAT and Win32/BalkanDoor.

For more details, read the blogpost, “In the Balkans, businesses are under fire from a double‑barreled weapon” on WeLiveSecurity.com. Make sure to follow ESET research on Twitter for the latest news from ESET Research.

Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET

For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.