The Iranian cyber threat group known as Charming Kitten has recently been connected to a series of attacks in Brazil, Israel, and the U.A.E. These attacks utilize a previously unknown backdoor called Sponsor. The cyber attacks primarily target education, government, healthcare organizations, as well as human rights activists and journalists.
To date, at least 34 victims of the Sponsor backdoor have been identified, with the earliest instances dating back to September 2021. The backdoor deploys configuration files discreetly, using batch files to trick scanning engines and avoid detection. Victimology patterns suggest that the group specifically targets vulnerable organizations and individuals.
The campaign, named Sponsoring Access, involves exploiting known vulnerabilities in Microsoft Exchange servers that are exposed on the internet. This allows the threat actors to gain initial access and carry out post-compromise actions. The attack methodology aligns with an advisory released by Australia, the U.K., and the U.S. in November 2021.
In one specific incident, an Israeli insurance marketplace company was infiltrated, and subsequent payloads such as PowerLess, Plink, and the open-source post-exploitation toolkit called Merlin were delivered. The attackers used the Merlin agent to execute a Meterpreter reverse shell, which allowed them to establish a connection with a new command-and-control server. Through this connection, the Ballistic Bobcat operators deployed their latest backdoor, Sponsor.
Sponsor, written in C++, is designed to collect host information and execute commands received from a remote server. It can perform functions such as file execution and download, as well as updating the list of attacker-controlled servers. The Ballistic Bobcat group continues to target unpatched vulnerabilities in Microsoft Exchange servers, utilizing a range of open-source tools and custom applications, including the Sponsor backdoor.
The activities of Charming Kitten and Ballistic Bobcat highlight the ongoing threats posed by state-sponsored cyber actors and the importance of maintaining robust cybersecurity measures.