The Iranian threat actor Charming Kitten has been linked to a new wave of attacks targeting different entities in Brazil, Israel, and the UAE using a previously undocumented backdoor named Sponsor. Cybersecurity investigators are tracking the cluster under the name Ballistic Bobcat. Victimology patterns suggest that the group primarily singles out education, government, healthcare organizations, human rights activists, and journalists. At least 34 victims of Sponsor have been detected to date, with the earliest instances of deployment dating back to September 2021.[1]
See: https://redskyalliance.org/xindustry/charming-kitten-s-new-malware
The Sponsor backdoor uses configuration files stored on disk. Batch files discreetly deploy these files and are deliberately designed to appear innocuous, thereby attempting to evade detection by scanning engines. Sponsoring Access campaign involves obtaining initial access by opportunistically exploiting known vulnerabilities in internet-exposed Microsoft Exchange servers to conduct post-compromise actions, echoing an advisory issued by Australia, the UK, and the US in November 2021.
In one incident, an unidentified Israeli company operating an insurance marketplace is said to have been infiltrated by the adversary in August 2021 to deliver next-stage payloads such as PowerLess, Plink, and a Go-based open-source post-exploitation toolkit called Merlin over the next couple of months. The Merlin agent executed a Meterpreter reverse shell that called back to a new [command-and-control] server. On 12 December 2021, the reverse shell dropped a batch file, install.bat, and within minutes of executing the batch file, Ballistic Bobcat operators pushed their newest backdoor, Sponsor.
Written in C++, Sponsor is designed to gather host information and process instructions received from a remote server, the results of which are sent back to the server. This includes command and file execution, file download, and updating the list of attacker-controlled servers.
Ballistic Bobcat continues to operate on a scan-and-exploit model, looking for targets of opportunity with unpatched vulnerabilities in internet-exposed Microsoft Exchange servers. The group continues to use a diverse open-source toolset supplemented with several custom applications, including its Sponsor backdoor.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://thehackernews.com/2023/09/charming-kitens-new-backdoor-sponsor.html
Comments