Attackers Use Backdoor And RAT Cocktail To Target The Balkans

Several countries have been targeted by a long-term campaign operated by financially motivated threat actors who used a backdoor and a remote access Trojan (RAT) malicious combo to take control of infected computers. The two malicious payloads dubbed BalkanDoor and BalkanRAT by the ESET researchers who spotted them have been previously detected in the wild by the Croatian CERT in 2017 and, even earlier, by a Serbian security outfit in 2016. However, ESET was the first to make the connection between them, after observing several quite significant overlaps in the entities targeted by their operators, as well as Tactics, Techniques, and Procedures (TTP) similarities.

Richard Bejtlich , Principal Security Strategist,  Corelight
August 16, 2019
Corelight did not need previous knowledge of this activity in order to provide it to defenders.
Thanks to this ESET report, network defenders have a rich variety of network indicators of compromise (IOCs) which they could leverage against robust network security monitoring data collected by the Corelight sensor. For example, investigators could analyze domain names in DNS logs, certificate details in SSL/TLS logs, Web traffic in HTTP logs (as the intruders appeared to serve malicious PHP fil ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments

In this article