Charming Kitten’s new ‘sponsor’ targets Brazil, Israel and the United Arab Emirates
The Iranian actor known as Charming Kitten has been linked to a new wave of attacks targeting different entities in Brazil, Israel and the United Arab Emirates, using a previously undocumented backdoor called Sponsor.
The Slovak cybersecurity company tracks the cluster under the name Ballistic bobcat. Victimology patterns suggest that the group primarily targets educational, government, and health organizations, as well as human rights activists and journalists.
At least 34 victims of the sponsor have been detected to date, with the first cases of deployment dating back to September 2021.
“The sponsor backdoor uses configuration files stored on disk,” Adam Burgher, researcher at ESET. said in a new report released today. “These files are discreetly deployed in batches and deliberately designed to appear innocuous, thereby attempting to evade detection by scanning engines.”
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
MFA achieved? WFP? Service account protection? Find out how equipped your organization really is against identity threats
The campaign, called Sponsoring Access, involves gaining initial access by opportunistically exploiting known vulnerabilities in Internet-exposed Microsoft Exchange servers to take post-compromise actions, echoing an advisory published by Australia, the United Kingdom United and the United States in November 2021.
In an incident detailed by ESET, an unidentified Israeli company operating an insurance marketplace was allegedly infiltrated by the adversary in August 2021 to deliver next-stage payloads such as PowerLess, Plink, and open source post-exploitation based on Go. toolbox called Merlin over the next few months.
“Agent Merlin executed a Meterpreter reverse shell which recalled a new (command and control) server,” Burgher said. “On December 12, 2021, the reverse shell deleted a batch file, install.bat, and within minutes of running the batch file, Ballistic Bobcat operators pushed their new backdoor, Sponsor.”
Written in C++, Sponsor is designed to collect information about the host and process instructions received from a remote server, the results of which are returned to the server. This includes executing commands and files, downloading files, and updating the list of servers controlled by the attackers.
“Ballistic Bobcat continues to operate under a scan-and-exploit model, looking for targets of opportunity with unpatched vulnerabilities in Internet-exposed Microsoft Exchange servers,” Burgher said. “The group continues to use a diverse open source toolset complemented by several custom applications, including its Sponsor backdoor.”
