Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
thnThe Hacker NewsTHN:E82CB1A2D75CAF9A90A4E0E2909EC388
HistorySep 11, 2023 - 1:24 p.m.

Charming Kitten's New Backdoor 'Sponsor' Targets Brazil, Israel, and U.A.E.

2023-09-1113:24:00
The Hacker News
thehackernews.com
21
charming kitten
sponsor backdoor
brazil
israel
u.a.e
ballistic bobcat
education
government
healthcare organizations
human rights activists
journalists
configuration files
evasion
batch files
sponsor victims
unpatched vulnerabilities
microsoft exchange servers
JSON

Backdoor Malware

The Iranian threat actor known as Charming Kitten has been linked to a new wave of attacks targeting different entities in Brazil, Israel, and the U.A.E. using a previously undocumented backdoor named Sponsor.

Slovak cybersecurity firm is tracking the cluster under the name Ballistic Bobcat. Victimology patterns suggest that the group primarily singles out education, government, and healthcare organizations, as well as human rights activists and journalists.

At least 34 victims of Sponsor have been detected to date, with the earliest instances of deployment dating back to September 2021.

“The Sponsor backdoor uses configuration files stored on disk,” ESET researcher Adam Burgher said in a new report published today. “These files are discreetly deployed by batch files and deliberately designed to appear innocuous, thereby attempting to evade detection by scanning engines.”

UPCOMING WEBINAR

[Identity is the New Endpoint: Mastering SaaS Security in the Modern Age

](<https://thehacker.news/itdr-saas?source=inside&gt;)

Dive deep into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Discover why identity is the new endpoint. Secure your spot now.

Supercharge Your Skills

The campaign, dubbed Sponsoring Access, involves obtaining initial access by opportunistically exploiting known vulnerabilities in internet-exposed Microsoft Exchange servers to conduct post-compromise actions, echoing an advisory issued by Australia, the U.K., and the U.S. in November 2021.

In one incident detailed by ESET, an unidentified Israeli company operating an insurance marketplace is said to have been infiltrated by the adversary in August 2021 to deliver next-stage payloads such as PowerLess, Plink, and a Go-based open-source post-exploitation toolkit called Merlin over the next couple of months.

Backdoor Malware

“The Merlin agent executed a Meterpreter reverse shell that called back to a new [command-and-control] server,” Burgher said. “On December 12th, 2021, the reverse shell dropped a batch file, install.bat, and within minutes of executing the batch file, Ballistic Bobcat operators pushed their newest backdoor, Sponsor.”

Written in C++, Sponsor is designed to gather host information and process instructions received from a remote server, the results of which are sent back to the server. This includes command and file execution, file download, and updating the list of attacker-controlled servers.

“Ballistic Bobcat continues to operate on a scan-and-exploit model, looking for targets of opportunity with unpatched vulnerabilities in internet-exposed Microsoft Exchange servers,” Burgher said. “The group continues to use a diverse open-source toolset supplemented with several custom applications, including its Sponsor backdoor.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

JSON