The Iranian threat actor known as Charming Kitten has been linked to a new wave of attacks targeting different entities in Brazil, Israel, and the U.A.E. using a previously undocumented backdoor named Sponsor.
Slovak cybersecurity firm is tracking the cluster under the name Ballistic Bobcat. Victimology patterns suggest that the group primarily singles out education, government, and healthcare organizations, as well as human rights activists and journalists.
At least 34 victims of Sponsor have been detected to date, with the earliest instances of deployment dating back to September 2021.
“The Sponsor backdoor uses configuration files stored on disk,” ESET researcher Adam Burgher said in a new report published today. “These files are discreetly deployed by batch files and deliberately designed to appear innocuous, thereby attempting to evade detection by scanning engines.”
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats
The campaign, dubbed Sponsoring Access, involves obtaining initial access by opportunistically exploiting known vulnerabilities in internet-exposed Microsoft Exchange servers to conduct post-compromise actions, echoing an advisory issued by Australia, the U.K., and the U.S. in November 2021.
In one incident detailed by ESET, an unidentified Israeli company operating an insurance marketplace is said to have been infiltrated by the adversary in August 2021 to deliver next-stage payloads such as PowerLess, Plink, and a Go-based open-source post-exploitation toolkit called Merlin over the next couple of months.
“The Merlin agent executed a Meterpreter reverse shell that called back to a new [command-and-control] server,” Burgher said. “On December 12th, 2021, the reverse shell dropped a batch file, install.bat, and within minutes of executing the batch file, Ballistic Bobcat operators pushed their newest backdoor, Sponsor.”
Written in C++, Sponsor is designed to gather host information and process instructions received from a remote server, the results of which are sent back to the server. This includes command and file execution, file download, and update the list of attacker-controlled servers.
“Ballistic Bobcat continues to operate on a scan-and-exploit model, looking for targets of opportunity with unpatched vulnerabilities in internet-exposed Microsoft Exchange servers,” Burgher said. “The group continues to use a diverse open-source toolset supplemented with several custom applications, including its Sponsor backdoor.”