According to our telemetry, the campaign spreading these tools has been live since 2016, with the most recent detections as late as in July 2019.
The attackers have been distributing their tools via malicious emails (“malspam”) with links leading to a malicious file.
The links included in the malspam emails used for distribution of both BalkanRAT and BalkanDoor mimic legitimate websites of official institutions.
The decoy PDFs revolve around the tax theme.
Figure 2. Decoy PDF documents
Most often, the links leading to an executable file are disguised as links to a PDF. The executable file is a WinRAR self-extractor with its name and icon changed to resemble a PDF to fool the user. When executed, it is configured to unpack its content, open the decoy PDF to prevent any suspicion – and silently execute either BalkanRAT or BalkanDoor.
In some of the latest samples of BalkanDoor detected in 2019, the malware is distributed as an ACE archive, disguised as a RAR archive (i.e., not an executable file), specially crafted to exploit the WinRAR ACE vulnerability (CVE-2018-20250). This vulnerability, which has been remediated in version 5.70 released on February 28th, 2019, is known to have been exploited quite often to distribute malware.
The exploit-based deployment of BalkanDoor is stealthier than in previous versions of the malware because it does not require executing the downloaded file – an operation that might raise the intended victim’s suspicions.
According to our telemetry, most of the time, both tools have been deployed on the same machine. The combination of the tools gives the attacker both a command-line interface and a graphical interface to the compromised computer.
In the case of the whole toolset being deployed on the machine, here is an example scenario for the attack:
The attacker detects that the victim has their screen locked and thus, most probably, is not using the computer (either via BalkanDoor sending screenshot showing that computer is locked, or via the View Only mode of BalkanRAT). Via the BalkanDoor backdoor, the attacker sends a backdoor command to unlock the screen… and using BalkanRAT, they can do whatever they want on the computer.
However, even if the victim does not use their computer, the chance of them spotting the actions performed by the attackers is still there. Even with this disadvantage, using the RDS tool may be useful. The attacker is not limited by the commands shipped in the backdoor, or by their programming skills: manually, they can perform actions that would require writing a lot of code if a backdoor was the only tool available.
In principle, the Balkan- toolset could be used for espionage, among other possible goals. However, not only the campaign’s targets and distribution, but also our analysis of the Balkan-toolset tools show that the attackers are going after money instead of espionage.
The BalkanDoor backdoor does not implement any exfiltration channel. Presumably, if the campaign were intended for espionage, the attackers would need an exfiltration channel for uploading the collected data – at least as a backup to manual exfiltration, which might not be always an option.
On the contrary – and supporting the notion that the attackers’ goal has been to commit some financial crime – we’ve seen BalkanRAT dropping a tool that can list available smart cards, via the SCardListReadersA/ SCardConnectA API functions. Smart cards are usually issued by banks or governments for confirmation of the holder’s identity. If misused, smart cards can facilitate illegal/fraudulent activities, e.g. digitally signing a contract, validating a money transaction etc.
In the past, we’ve seen this feature in Operation Buhtrap, a campaign targeting Russian banks.
BalkanDoor is a simple backdoor with a small number of commands (download and execute a file, create a remote shell, take a screenshot). It can be used to automate tasks on the compromised computer or to automatically control several affected computers at once. We have seen six versions of the backdoor, ranging in supported commands, evolving since 2016.
The initial dropper unpacks all components, opens a decoy PDF (in some cases) and executes a batch installation script that ensures persistence of the backdoor.
The backdoor registers itself as a service, under a legitimately-looking service name (e.g. WindowsSvc, WindowsPrnt, WindowsConn or WindowsErr); the accompanying batch scripts can further ensure persistence by using Registry Run Keys or Startup folder.
After the backdoor is installed, the computer connects to a C&C server, identifying itself by the computer name and requesting the commands. The backdoor can connect to any of the C&Cs from a hardcoded list – a measure to increase resilience. It connects via the HTTP or HTTPS protocol; if HTTPS is used, then the server certificates are ignored.
If the connection is not successful, the backdoor is capable of using the user-configured proxy on the victim’s computer and repeating the connection attempt.
The backdoor commands come in a format of an INI file, with properties determining the commands, command arguments and intended recipients. Specifying the list of recipients allows the attacker to send their commands to several compromised computers at once, e.g. to automatically take screenshots of all compromised computers.
|Table 3. BalkanDoor’s commands|
|cn||Specifies computer name(s) of the intended recipients of the commands|
|du, int||Download and execute a file|
|du, ra, de, rpo||Download and execute a file, in the specified context and on a specified desktop|
|rip||Create a remote shell accessible from the specified IP address|
|scr_int, scr_dur||Capture a series of screenshots of the specified duration|
Furthermore, the backdoor itself can be executed in several modes, determined by the command line arguments with which it is executed. These modes themselves can serve as backdoor commands (when executed from the remote shell):
|Table 4. BalkanDoor’s modes|
|/unlock||Unlocks the screen|
|/rcmd||Creates a remote shell and redirects its input/output to the specified IP address|
|/takescr||Captures a series of screenshots, duration determined by other arguments|
|/run||Executes the specified command using cmd.exe|
|/runx||Executes the specified command using cmd.exe, on the active (input) desktop|
|/inst||Installs itself as a service and starts the main procedure (see /nosvc)|
|/start||Starts the associated service, which starts the main procedure (see /nosvc)|
|/nosvc||Main payload, communicates with C&C and interprets backdoor commands|
Among the BalkanDoor capabilities, the most notable is passwordless screen-unlocking.
This feature comes in handy to the attackers in cases when a logged-in user locks the computer. The “Lock screen” is just another Desktop for the system, so any malware with the necessary privileges can switch to a real desktop by command. No password is required to perform this operation.
Figure 3. Code responsible for unlocking the computer when the backdoor is executed remotely with an “/unlock” argument
Real Life. Real News. Real Voices
Help us tell more of the stories that matter Become a founding member
The BalkanRAT part of the malicious Balkan- toolset is more complex compared to its backdoor accomplice. Its goal is to deploy a copy of the Remote Utilities software, which is commercial software by a Russian vendor, Remote Utilities, LLC, used for remote access to a computer or for remote administration. BalkanRAT also provides the attacker with the credentials needed for this remote access.
BalkanRAT has several additional components to help load, install and conceal the existence of the RDS. They can add exceptions to the firewall, hide the RDS’s window and its tray icon, and hide the presence of related processes in the task manager.
Figure 4. Components used in the campaign to deploy and hide the presence of the RDS
- The dropper first unpacks all components; a configuration file, the remote desktop software and a core component installing it, a userland rootkit, a GUI hider and a decoy PDF file.
- The dropper opens the PDF file so as not to arouse suspicion of the user.
- Covertly, the dropper executes the core component (32-bit) in the installation mode.
- The core component (32-bit) installs itself to be executed with each start, and adds exception to the firewall for the RDS. It executes commands inst1 and inst2 specified in the configuration file, and executes itself again, now in stealth mode.
- In this mode, the core component acts like a keylogger.
- The core component (32-bit) executes the 64-bit version of itself, in injection mode (if applicable).
- The core component (64-bit) injects the userland rootkit (64-bit) into task manager processes. The userland rootkit then hides presence of the malicious processes in the task manager.
- The core component (32-bit) executes the RDS. It repeatedly monitors and hides the RDS window (because it is a GUI application).
- The core component (32-bit) injects the userland rootkit (32-bit) into task manager processes. The userland rootkit then hides presence of the malicious processes in the task manager.
- The core component (32-bit) executes commands cmd1 and cmd2, as specified in the configuration file. One of such commands was seen executing a GUI hider, which is an AutoHotKey script hiding the tray icon of the RDS.
Note: Some components are optional. Also, sometimes they are deployed as a set comprising an encrypted payload and the corresponding loader. We are omitting these details.
The configuration file of BalkanRAT is in INI file format (similarly to BalkanDoor, which uses this format for backdoor commands), with one section named [CFG]. The INI file is used by the malware’ core component and the userland rootkit.
|inst1, inst2||Commands executed by the core component during installation|
|cmd1, cmd2||Command executed by the core component main payload|
|hproc||List of processes that should be hidden by userland rootkit|
|mproc||List of processes where userland rootkit is injected|
Figure 5. BalkanRAT’s configuration file – properties (top) and example (below)
BalkanRAT’s core is a multipurpose component (there are both a 32-bit and a 64-bit versions); it can be executed in various modes, determined by the command-line argument. Most significantly, it is used for installation of BalkanRAT, launching a userland rootkit and adding exceptions for the RDS component in the firewall.
|Table 5. BalkanRAT’s core component – supported functionality|
|/rhc||Executes a batch file|
|/fwl||Adds exception to the firewall for the specified program|
|/sreg||Sets configuration data for the RDS in the registry (especially email address where the credentials should be sent)|
|/inst||Ensures persistence by adding itself to the [HKEY_CURRENT_USERSOFTWAREMicrosoftWindows NTCurrentVersionWindows] registry key under the “load” entry. Adds exception for the RDS to the local firewall. Executes itself again in the main mode (no arguments).|
|/inj||Injects the userland rootkit library into processes, as specified in the configuration file|
|(none)||Main mode. Executes the 64-bit version of itself (if applicable), injects the userland rootkit, executes the RDS and hides the window by changing its coordinates to values outside the screen.|
Another thread captures pressed keystrokes.
The main part of the BalkanRAT malware is a copy of the Remote Utilities software for remote access. Instead of using the official version, BalkanRAT deploys a copy signed by a certificate of the attacker.
The client side of the RDS running on the victim’s computer must know the unique ID and the password, both generated on the server side, to connect to the server. The RDS deployed by BalkanRAT is configured in such a way that the password is the same for all victims, and the generated unique ID is sent to the attacker’s email address by the tool itself.
Since the tool BalkanRAT misuses is legitimate, it leverages the genuine Remote Utilities’ infrastructure for this communication (rutils.com, server.rutils.com); due to this, the communication may seem legitimate to the user – and to security products.
As a result, the attacker has obtained credentials to access the compromised computer via the Remote Utilities software. Using this tool, they can broadcast the screen to monitor the activity of the user and manually take over the compromised computer.
Figure 6. A window the victim never sees. With a legitimate copy of Remote Utilities, this window is visible; however, BalkanRAT will hide it using the GUI hider feature.
To remain stealthy, BalkanRAT uses the GUI hider feature. In most samples (some older ones are an exception), it is implemented as an AutoHotKey script, compiled into an executable file so that it can be run on a computer even if AutoHotKey is not installed there. The purpose of this script is to hide the tray icon of the RDS client.
Figure 7. AutoHotKey script embedded in the resource section of the executable
Another notable feature used by BalkanRAT to stay hidden is the ability to hide processes from the user.
To achieve this, userland rootkit libraries are injected in processes hardcoded in the configuration file. The userland rootkit hooks the NtQuerySystemInformation function for the process in which it is injected. In case SystemProcessInformation is queried, it filters out all entries for processes with the names specified in the configuration file. As a result, conventional task manager utilities will not display the processes the attackers want to keep hidden from the user.
Figure 8. With the userland rootkit injected, some processes are missing in the list (left). Without the rootkit, the processes are visible (right).
Naturally, the list of processes that will be hidden contain mostly ones belonging to BalkanRAT. However, we have also seen names like “weather.exe” or “preserve.exe” in the list – which belong to the BalkanDoor backdoor. This finding supports the belief these two tools are indeed used together.
Both BalkanRAT and BalkanDoor have some interesting tricks up their sleeves and each of them separately pose a significant risk to the victims. If used together as a toolset, they make an even more powerful weapon – the more the campaign we have discovered targets accounting, a function that is critical for organizations.
The campaign targeting accountants in the Balkans shows some similarities with a campaign aimed at Ukrainian notaries reported in 2016. (The only source we have been able to find describing it is in Russian.) In that case, the attackers’ goal was to take control over a notary computer and issue some illegal operation on behalf of the notary.
Just as attackers may confirm a fraudulent transaction on behalf of a notary, they may perform a fraudulent transaction while impersonating a manager in a company’s financial department.
To stay safe, business users – and their employers – should follow basic cybersecurity rules: be cautious about emails and scrutinize their attachments and links, keep their software updated and use a reputable security solution.
ESET detection names
BalkanDoor – executable files
BalkanRAT – executable files
Remote Utilities (otherwise legitimate releases signed by attackers’ certificates)
Decoy PDF files
|Name||Email||Valid from||Valid to||SHA1 Thumbprint||Status at the time of writing|
|AMO-K Limited Liability Company||[email protected]||2015/07/30||2016/07/28||4E36C4D10F1E3D820058E4D451C4A7B77856BDB3||Expired|
|Valmpak, TOV||[email protected]||2016/04/10||2017/04/01||17D50E2DBBAF5F8F60BFFE1B90F4DD52FDB44A09||Revoked|
|3D PEOPLE LIMITED||–||2017/11/05||2018/11/06||936EDFB338D458FBACB25FE557F26AA3E101506E||Expired|
|SLOW BEER LTD||[email protected]|
Backdoors: weather.exe, winmihc.exe, Preserve.exe, PreservS.exe, WindowsConnect.exe
Scripts: weather.cmd, winmihc4.cmd, mihcupdate.cmd
Decoy PDF file: Zakon.pdf
Droppers: ZPDGI.exe, ZPDGV.exe, ZPDGE.exe, ZPDGO.exe, ZPDGU.exe, ZPDGA.exe, Ponovljeni-Stav.exe, AUG_1031.exe, MIP1023.exe
Configuration file: stg.cfg
Decoy PDF files: ZPDG.pdf, Ponovljeni-Stav.pdf, AUG_1031.pdf, MIP1023.pdf
Core component: winchk32.exe, wininit.exe, hide.exe, winchk64.exe
RDS: rutserv.exe, rfusclient.exe
Userland rootkit: winmmon.dll, winmmon64.dll
GUI hider components: serk.bat, serk.exe
Email addresses used to exfiltrate Remote Utilities credentials
|Initial Access||T1192||Spearphishing Link||BalkanRAT is distributed via emails that contain links to malware.|
|Execution||T1059||Command-Line Interface||BalkanRAT uses cmd.exe to execute files.|
|T1106||Execution through API||BalkanRAT uses ShellExecuteExW and LoadLibrary APIs to execute other malware components.|
|T1064||Scripting||BalkanRAT uses batch scripts for malware installation and execution.|
|T1204||User Execution||BalkanRAT relies on the victim to execute the initial infiltration. The malware is disguised as PDF documents with misleading names, in order to entice the intended victim to click on it.|
|Persistence||T1060||Registry Run Keys / Startup Folder||BalkanRAT uses the following Registry Run key to establish persistence: [HKEY_CURRENT_USERSOFTWAREMicrosoftWindows NTCurrentVersionWindows], “load”.|
|Privilege Escalation||T1134||Access Token Manipulation||BalkanRAT is able to impersonate the logged-on user using DuplicateTokenEx or ImpersonateLoggedOnUser APIs.|
|Defense Evasion||T1116||Code Signing||BalkanRAT is digitally signed with code-signing certificates.|
|T1140||Deobfuscate/Decode Files or Information||BalkanRAT decrypts and decompresses some of its components.|
|T1089||Disabling Security Tools||BalkanRAT is capable of adding exceptions to the local firewall, using its COM interface.|
|T1112||Modify Registry||BalkanRAT modifies the [HKEY_CURRENT_USERSoftwareUsorisRemote UtilitiesServerParameters] registry key to store configuration of the RDS|
|T1027||Obfuscated Files or Information||Some components of BalkanRAT are compressed and then encrypted by a XOR cipher.|
|T1055||Process Injection||BalkanRAT injects a userland rootkit library into processes of task manager utilities.|
|T1108||Redundant Access||Operators of BalkanRAT have been seen deploying a second malicious tool (BalkanDoor) to preserve remote access in case BalkanRAT is removed.|
|T1014||Rootkit||BalkanRAT uses a userland rootkit that hooks the NtQuerySystemInformation function to hide the presence of malicious processes.|
|T1143||Hidden Window||BalkanRAT uses 3 rd party remote desktop software and hides its window and tray icon in order to hide it from the user.|
|Discovery||T1082||System Information Discovery||BalkanRAT collects the computer name and the language settings from the compromised machine.|
|Collection||T1056||Input Capture||BalkanRAT is capable of logging pressed keystrokes.|
|Command and Control||T1219||Remote Access Tools||BalkanRAT has misused legitimate remote desktop software for remote access.|
|Initial Access||T1192||Spearphishing Link||BalkanDoor is distributed via emails that contain links to download malware.|
|Execution||T1059||Command-Line Interface||BalkanRAT uses cmd.exe to create a remote shell.|
|T1106||Execution through API||BalkanRAT uses ShellExecuteExW and LoadLibrary APIs to execute files.|
|T1203||Exploitation for Client Execution||BalkanDoor can be distributed as an ACE archive disguised as a RAR archive, exploiting CVE-2018-20250 vulnerability in WinRAR to execute malicious code.|
|T1064||Scripting||BalkanDoor uses batch scripts for malware installation and execution.|
|T1035||Service Execution||BalkanDoor’s backdoor can be executed as a service.|
|T1204||User Execution||BalkanDoor relies on the victim to execute the initial infiltration. The malware is disguised as PDF documents or RAR archives with misleading names, in order to entice the intended victim to click on it.|
|Persistence||T1050||New Service||BalkanDoor can be installed as a new service, mimicking legitimate Windows services.|
|T1060||Registry Run Keys / Startup Folder||BalkanDoor can be installed in the Registry Run key, or dropped in the Startup folder.|
|Privilege Escalation||T1134||Access Token Manipulation||BalkanDoor is able to create a process under the security context of a different user, using DuplicateTokenEx, SetTokenInformation or CreateProcessAsUserW APIs.|
|Defense Evasion||T1116||Code Signing||BalkanDoor is digitally signed with code-signing certificates.|
|T1107||File Deletion||BalkanDoor deletes files with backdoor commands after the commands have been executed.|
|T1158||Hidden Files and Directories||BalkanDoor sets attributes of its files to HIDDEN, SYSTEM and READONLY.|
|T1036||Masquerading||BalkanDoor can be installed as a service with names mimicking legitimate Windows services.|
|T1108||Redundant Access||Operators of BalkanDoor have been seen deploying a second malicious tool (BalkanRAT) to preserve remote access in case BalkanDoor is removed.|
|Discovery||T1082||System Information Discovery||BalkanDoor collects the computer name from the compromised machine.|
|Collection||T1113||Screen Capture||BalkanDoor can capture screenshots of the compromised machine.|
|Command and Control||T1043||Commonly Used Port||BalkanDoor uses ports 80 and 443 for C&C communication.|
|T1090||Connection Proxy||BalkanDoor is capable of identifying a configured proxy server if one exists and then using it to make HTTP requests.|
|T1008||Fallback Channels||BalkanDoor can communicate over multiple C&C hosts.|
|T1071||Standard Application Layer Protocol||BalkanDoor uses HTTP or HTTPS for network communication.|
Subscribe to the newsletter news
We hate SPAM and promise to keep your email address safe