BalkanDoor and BalkanRAT are Used in Financially-Motivated Campaign

Delaware, USA – August 15, 2019 – The campaign aimed at financial institutions in the Balkans started back in 2016 and continues to this day. Attackers improve the primary tools used and experiment with malware delivery methods. ESET experts linked the use of BalkanDoor and BalkanRAT to a single campaign and published detailed malware analysis linking them with the MITRE ATT&CK framework. Almost all the targets are located in Croatia, Bosnia and Herzegovina, and Serbia. Malware is distributed via emails containing links to documents on the tax theme, which lead to sites that mimic legitimate websites of official institutions. When a user clicks the link, WinRAR self-extracting archive is downloaded on their system, which installs BalkanDoor or BalkanRAT malware and opens the decoy PDF document to cause less suspicion. Since 2019, the group has adopted the CVE-2018-20250 and began to sign their tools with various digital certificates. BalkanDoor malware supports a small number of commands, it registers the infected system on the command-and-control server after installation and waits for instructions that come in the form of INI files. Backdoor is able to download and install other malware, create a remote shell and take screenshots. He can also execute commands using cmd.exe and unlock the screen. BalkanRAT installs remote desktop software and ensures its stealth and successful operation on the attacked system.

Almost all attacked systems were infected with both malware strains. Experts suggest that attackers use screenshots to determine when the victim is not near the computer, unlock the screen and use remote desktop software to gain full access to the system. You can detect the WinRAR exploit usage (CVE-2018-20250) with the rules available on Threat Detection Marketplace:

You can also explore techniques indicated in the article in the MITRE ATT&CK section: