Charming Kitten, an Iranian threat actor, has been linked to a new wave of attacks targeting entities in Brazil, Israel, and the UAE.
Charming Kitten, an Iranian threat actor, has been linked to a new wave of attacks targeting entities in Brazil, Israel, and the UAE. They have been observed using a previously undocumented backdoor named 'Sponsor'.
Ballistic Bobcat, a Slovakian cybersecurity firm, is tracking the cluster. Victimology patterns indicate that the group targets education, government, healthcare organizations, human rights activists, and journalists.
In a report published today, ESET researcher Adam Burgher said that Sponsor backdoors use configuration files stored on disk. The files are deployed discreetly through batch files and are carefully designed to appear innocuous to evade detection by scanning engines.
In contrast, it does not always target a particular region or industry. The Charming Kitten team used a "scan-and-exploit" approach in its latest campaign, which ESET researchers call "Sponsoring Access." They deployed the new backdoor "Sponsor" against any organization in Israel (plus one in Brazil and another in the United Arab Emirates) with unpatched Microsoft Exchange servers. And it's not the first time it's taken such an approach.
According to an advisory issued in November 2021 by Australia, the U.K., and the U.S., Sponsoring Access involves obtaining initial access by opportunistically exploiting known vulnerabilities in internet-exposed Microsoft Exchange servers to conduct post-compromise actions.
In one incident detailed by ESET, an unidentified Israeli company operating an insurance marketplace was infiltrated by the adversary in August 2021 to deliver next-stage payloads such as PowerLess, Plink, and Merlin, a go-based open-source toolkit for post-exploitation.
The Merlin agent executed a Meterpreter reverse shell that called back to a new [command-and-control] server, Burgher stated. On 12 December 2021, reverse shell operators dropped a batch file, install.bat, and within minutes of executing the batch file, Ballistic Bobcat operators released their newest backdoor, Sponsor.
Ballistic Bobcat continues to operate on a scan-and-exploit model, looking for targets of opportunity with unpatched vulnerabilities in internet-exposed Microsoft Exchange servers,Burgher said. The group continues to use a diverse open-source toolset supplemented with several custom applications, including its Sponsor backdoor.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?