Each of these sources focused only on one of the two tools and only on a single country. Some parts of the campaign were briefly described by a Serbian security provider in 2016 and the Croatian CERT in 2017. The campaign has been active at least from January 2016 to the time of writing (the most recent detections in our telemetry are from July 2019). Thus, although backdoors and other tools for remote access are often used for espionage, we believe that this particular campaign is financially motivated. With the contents of the emails, included links and decoy PDFs all involving taxes, the attackers are apparently targeting the financial departments of organizations in the Balkans region. The campaign’s overarching theme is taxes. This rather uncommon setup makes it possible for attackers to choose the most suitable method to instruct the computer to perform operations of their choice. ESET security products detect these threats as Win/BalkanRAT and Win32/BalkanDoor.Ī typical victim of this campaign, which uses malicious emails as its spreading mechanism, ends up having both these tools deployed on the computer, each of them capable of fully controlling the affected machine. We’ve discovered an ongoing campaign in the Balkans spreading two tools having a similar purpose: a backdoor and a remote access trojan we named, respectively, BalkanDoor and BalkanRAT.īalkanRAT enables the attacker to control the compromised computer remotely via a graphical interface, i.e., manually BalkanDoor enables them to control the compromised computer remotely via a command line, i.e., possibly en masse. ESET researchers discovered a campaign that uses two malicious tools with similar capabilities to ensure both resilience and broader potential for the attackers
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |