Pierluigi Paganini September 12, 2023

Iran-linked APT group Charming Kitten used a previously undocumented backdoor named Sponsor in attacks against entities in Brazil, Israel, and the U.A.E.

ESET researchers observed a series of attacks, conducted by the Iran-linked APT group Charming Kitten (aka Ballistic Bobcat APT, APT35, Phosphorus, Newscaster, TA453, and Ajax Security Team), which are targeting various entities in Brazil, Israel, and the United Arab Emirates.

The Charming Kitten group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011 targeting journalists and activists in the Middle East, as well as organizations in the United States, and entities in the U.K., Israel, Iraq, and Saudi Arabia.

The recent attacks spotted by ESET are part of a campaign named Ballistic Bobcat and employed a previously undocumented backdoor named Sponsor. Sponsor is written in C++, it can collect host information and running processes and execute commands sent by the operators.

The researchers discovered Sponsor while investigating a cyber attack on a system in Israel in May 2022.

ESET reported that the Sponsor backdoor was deployed to at least 34 victims in Brazil, Israel, and the United Arab Emirates. The Sponsor backdoor has been used at least since September 2021.

Most of the victims of the campaign are education, government, and healthcare organizations, as well as human rights activists and journalists.

Charming Kitten was observed exploiting known vulnerabilities in internet-exposed Microsoft Exchange servers as an initial attack vector.

“Ballistic Bobcat obtained initial access by exploiting known vulnerabilities in internet-exposed Microsoft Exchange servers by first conducting meticulous scans of the system or network to identify potential weaknesses or vulnerabilities, and subsequently targeting and exploiting those identified weaknesses. The group has been known to engage in this behavior for some time.” reads the analysis published by ESET. “However, many of the 34 victims identified in ESET telemetry might best be described as victims of opportunity rather than preselected and researched victims, as we suspect Ballistic Bobcat engaged in the above-described scan-and-exploit behavior because it was not the only threat actor with access to these systems.”

The Sponsor backdoor employs configuration files saved on the disk, which are distributed through batch files. Both of these components are designed to appear harmless in order to evade detection.

The experts speculate that batch files and configuration files are part of the modular development process.

Once they have obtained access to the target network, the Iranian APT uses multiple open-source tools, such as Mimikatz, WebBrowserPassView, sqlextractor and ProcDump.

“Ballistic Bobcat continues to operate on a scan-and-exploit model, looking for targets of opportunity with unpatched vulnerabilities in internet-exposed Microsoft Exchange servers. The group continues to use a diverse open-source toolset supplemented with several custom applications, including its Sponsor backdoor. Defenders would be well advised to patch any internet-exposed devices and remain vigilant for new applications popping up within their organizations.” concludes the post.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Charming Kitten)