A severe malware campaign to continuing to target the resident companies of Balkan. It is a combination to two threat tools -a backdoor Trojan and a RAT (remote access Trojan). Thus, it is named after its attack campaigns at Balkan- BalkanDoor and BalkanRAT Trojan.
BalkanRAT Trojan is spreading via phishing email campaigns that after successful intrusion, allows the remote attacks to control over the compromised system via graphical interface. The BalkanDoor- backdoor Trojan is used to grant the control to the attackers using the command line.
The BalkanRAT Trojan attack campaign is active since January 2016. But found by the security experts- a new variant of BalkanDoor exploited a vulnerability within WinRAR ACE ( CVE-2018-20250 ) during the installation procedure.
The Distribution campaign
The threat actors of the BalkanRAT trojan campaign relies on spreading malspams to distribute it within the computer systems. Like other RAT Trojans : Cardinal RAT, WebMonitor RAT, ATILLA STEALER and NetSupport Manager. BalkanRAT Trojan also attempts to trick users into embedding the payloads of the threat within the phishing email attachments. The malicious emails may contain links and PDFs attachment that are actually an executable file deployed in the form of PDF. The emails are subjected from legitimate institutions, tax invoice, shipment or so.
As said above, the links when clicked asks users to download a disguised PDF file that are actually a WinRAR self-executable .exe file. When the alleged file is executed, it extracts the contents on the compromised system and further install the BalkanRAT trojan on the target system.
BalkanRAT Trojan Attack Propaganda
According to the malware analysis, the attack combines both the malware tools- BalkanDoor & BalkanRAT. Thus, the compromised user may notice both the Trojan threats. The Balkan attack campaigns takes control over the compromised system via both command line execution and a graphical interface.
When the users probably not using their PC, the remote attackers see a locked screen of the compromised system. BalkanDoor active on the system sends a screenshot of the locked screen to the attackers sitting remotely. Now, the BalkanDoor malware is used by attackers to send the command to unlock the screen. After that, the attackers have full control over the compromised system, which can now be exploited by attackers to execute several commands or carry-out any irrelevant tasks.
Some of the commands executed by BalkanRAT Trojan are:
- Specifies computer name (s) of the intended recipients of the commands
- Download and execute a file
- Download and execute a file, in the specified context and on a specified desktop
- Create a remote shell accessible from the specified IP address
- Capture a series of screenshots of the required duration
In addition to the above commands, the Bulkan backdoor trojan can also execute various command-line-arguments in modes. The modes itself acts as backdoor commands and can be executed by remote shell. There are various arguments that performs various functionalities when executed.
- / unlock: Unlocks the screen
- / rcmd: Creates a remote shell and redirects its input / output to the specified IP address
- / takescr: Captures a series of screenshots, duration determined by other arguments
- /run: Execute the specified command using cmd.exe
- / runx: Executes the specified command using cmd.exe, on the active (input) desktop
- / inst: Installs itself as a service and starts the main procedure (see / nosvc)
- /begin: Starts the associated service, which starts the main procedure (see / nosvc)
- / nosvc: Main payload, communicating with C & C and interprets backdoor commands
Out of all these commands, the unlock functionality of the threat can be most damaging.
Other detection names are:
How to Remove BalkanRAT Trojan
The removal process of BalkanRAT Trojan is tough like any other virus. It can leave you puzzled as it does too many modifications to the system internal settings. This may take enough time and patience to do it manually. That even may not ensure you complete removal.
For our readers to understand, we have put our best possible solution that can help to remove this threat. But we suggest you to only try this if you are familiar with system configurations, registries keys and its subkeys values and also boot settings.
While performing the manual solution, be enough cautious and if you get confused at any point of time, them leave it and take the help of powerful anti-malware program to detect and remove the virus. This will not only ensure safe removal of BalkanRAT Trojan but also restore default system settings.
“Windows OS: Use Anti-Malware To Scan And Remove BalkanRAT (Recommended)”
SpyHunter is a giant among the security programs that use advanced threat detection technology to remove any sort of Adware/PUPs, Browser hijacker, Trojans, Rootkits, Fake system optimization tools, worms, and rootkits.
It not only remove threats but provides rigorous 24/7 protection from any unsolicited programs, vulnerability or rootkits attacks.
Why we are recommending SpyHunter is because of its efficiency, lightweight that only takes up 12% of the CPU space and simpler user-interface that is designed for both beginners and advanced users. Besides that, it has features which require less-user monitoring, custom scan options, system guard and 24*7 help desk support. Keeping SpyHunter actively running on your computer adds an extra security layer that protects your computer system from being attacked.
Spyhunter certified by “West Coast Labs’ Checkmark Certification System” gives you a complete money-back guarantee, if you are not satisfied with its results. Because they are sure you will going to have it on your system. So, it’s a win-win situation for you try out SpyHunter free version and if you are fully satisfied to get registered for full protection against all malicious odds that hampers your security.
Instructions To Download And Install SpyHunter 5
- Once the file “SpyHunter-Installer.exe” is downloaded, double-click on the file to open (you can see it in your browser’s bottom-left corner);
- Click “Yes” to the “User Account Control” dialog box;
- Now, choose your preferred language and then click on “OK” for the next installation step;
- Now, click on “Continue” button to proceed with the To proceed to the installation;
- Now installation will begin, please be patience as it may take few minutes;
- Click on the “Finish” button to successfully install the program.
Note: It may ask you to enter your information- there you can add your details or go with the default information to start the program.
Steps To Perform System Scan with SpyHunter
- Once the program is installed successfully, the SpyHunter 5 Anti-malware program will launch automatically. If it does not then locate the SpyHunter icon on the desktop or click on “Start” ? “Programs” ? Select “SpyHunter”.
- Now, To start the scan click on the “Home” tab and select “Start Scan Now” button. The program will now start scanning for BalkanRAT and other associated programs.
- The scan will report will all the details of the result about BalkanRAT along with system errors, vulnerabilities and malware found.
- Once you have found BalkanRAT as shown in the screenshot below:
- To select an object for removal, just select the checkbox at the left of the object and click on “Next“. You can select or deselect any objects displayed in the “Malware,” “PUPs” or “Privacy” tabs. We have included a convenient “Select All” feature that will allow you to select or deselect all objects displayed in a specific tab. To utilize this feature, simply select the checkbox at the left in the specific tab (9).
- Once you have selected which objects you would like to remove, click the “Next” button.
If you want to know more about it, you are welcomed to check out the full review of SpyHunter 5.
To Remove BalkanRAT Trojan, follow these steps:
The manual steps below contains the instructions separately to avoid any confusion to our readers. Please follow the links below and perform them one by one. If you are going for the manual removal process, then we recommend you to print/download these instructions. Or you can open it from another uninfected computer or laptop. And follow step-by-step manual removal instruction: Windows OS PDF Guide.
Step 1:Remove BalkanRAT Trojan From WindowsOS
Step 2: Remove Trojan Virus Using System Restore Procedure. (Advanced option)
Step 3: Remove BalkanRAT Trojan using HitmanPro.Alert
HitmanPro.Alert is an advanced anti-malware program that takes on proactive approach towards threat behavior and its activities. Its cloud-based scanning technique is deeply scans the system to the possible locations where threats mostly resides. This is a real-time malware program that delivers protection from latest threat, crypto-malware, ransomware, exploits, spyware, risks related to online transactions.
HitmanPro.Alert is best-in-class that provides various advanced features like:
- Safe Browsing;
- Exploit Mitigation;
- Risk reduction:
- Key-loggers Protection and many such.
Running HitmanPro.Alert on your computer will provide your real-time status, checks the browser integrity and alerts or any suspicious activity. So that you can have a safe browsing and online transactions. Read the full review of HitmanPro.Alert here.
Steps To Install And Run HitmanPro.Alert
- Click on the provided link to download HitmanPro.Alert anti-malware;
- Now, open the download folder or where your program is downloaded to locate “hmpalert3”;
- Click on it, to begin the installation;
- It will ask your User Account control, if prompted click on “yes”;
- The download should begin shortly. HitmanPro.Alert window will appear, where you need to choose the options:
Choose Protection level as Maximum
And tick the other boxes and finally click on “Install”.
HitmanPro.Alert only takes 5MB of your memory and is very quick to install.
- After the installation is complete, the scan will start. First scan may take up some minutes, as it will scan the whole computer.
- The scan results are displayed. Carefully look down the list. You can here, the scan has found 1 Riskware and thousands of traces which can be risky.
- You can select the threat to delete, quranantize, ignore or, mark as safe. If you want to remove all the threats, then simply click on the “Next” button below.
- HitmanPro.Alert first creates a restore point and then starts the removal process. This helps to recover from any damage.
So, now you are done, with the removal process with HitmanPro.Alert.
Step 4: System Restore Procedure
- After Removal of BalkanRAT Trojan, it is important to restore the damages done by it. As it attacks windows registry to add its keys and values to execute as the system starts. All these keys may help the program to regenerate its codes. To repair the registry and restore to its previous state, we recommend the “Reimage Tool“, that cleans all the traces of threat and fix all windows errors.
Best Practices To avoid Such Infections
- Keep a secure firewall for the system. This will help block any unwanted internet connections to your device.
- Do not open spam mail attachments from unknown sender. This is the common way through which malicious programs intrude inside. Thus, we should be cautious while getting mails from non-trusted sources.
- Keep the software program updates, so that it does not have any security patches.
- Be very cautious while downloading any freeware from third-party websites. Always download software programs from official websites. Thus avoiding any accidental download of Adware/PUPs.
- Do not use public wi-fi for online transactions, as they are not fully secure and can infect the device.
- Use a powerful anti-virus program that will keep track of the security.
By following the above tips, you can avoid viruses or unwanted programs entering on your computer. Hope this article is helpful to you.