An Iran-linked government-backed threat actor known as 'Charming Kitten' (Phosphorus, Ballistic Bobcat, TA453, APT35/42) has been observed deploying a previously unknown backdoor malware named 'Sponsor' against 34 companies in Brazil, Israel and the United Arab Emirates.
The campaign, dubbed ‘Sponsoring Access’ by ESET researchers, took place between March 2021 and June 2022, targeting government and healthcare organizations and firms engaged in financial services, engineering, manufacturing, technology, law, telecommunications, and other sectors.
As part of the operation, the attackers deployed a novel backdoor called ‘Sponsor’ onto target systems after obtaining initial access via known vulnerabilities (CVE-2021-26855) in the internet-exposed Microsoft Exchange servers.
“The Sponsor backdoor uses configuration files on disk, dropped by batch files, and both are innocuous so as to bypass scanning engines. This modular approach is one that Ballistic Bobcat has used quite often and with modest success in the past two and a half years,” the researchers noted.
The group has also been observed using a variety of tools such as the Powerless backdoor, a command-line connection tool called Plink, and the Merlin post-exploitation framework.
“Ballistic Bobcat continues to operate on a scan-and-exploit model, looking for targets of opportunity with unpatched vulnerabilities in internet-exposed Microsoft Exchange servers. The group continues to use a diverse open-source toolset supplemented with several custom applications, including its Sponsor backdoor. Defenders would be well advised to patch any internet-exposed devices and remain vigilant for new applications popping up within their organizations,” ESET said.
