12 September 2023

Iranian hackers target orgs in Brazil, Israel, and OAE with new Sponsor backdoor


Iranian hackers target orgs in Brazil, Israel, and OAE with new Sponsor backdoor

An Iran-linked government-backed threat actor known as 'Charming Kitten' (Phosphorus, Ballistic Bobcat, TA453, APT35/42) has been observed deploying a previously unknown backdoor malware named 'Sponsor' against 34 companies in Brazil, Israel and the United Arab Emirates.

The campaign, dubbed ‘Sponsoring Access’ by ESET researchers, took place between March 2021 and June 2022, targeting government and healthcare organizations and firms engaged in financial services, engineering, manufacturing, technology, law, telecommunications, and other sectors.

As part of the operation, the attackers deployed a novel backdoor called ‘Sponsor’ onto target systems after obtaining initial access via known vulnerabilities (CVE-2021-26855) in the internet-exposed Microsoft Exchange servers.

“The Sponsor backdoor uses configuration files on disk, dropped by batch files, and both are innocuous so as to bypass scanning engines. This modular approach is one that Ballistic Bobcat has used quite often and with modest success in the past two and a half years,” the researchers noted.

The group has also been observed using a variety of tools such as the Powerless backdoor, a command-line connection tool called Plink, and the Merlin post-exploitation framework.

“Ballistic Bobcat continues to operate on a scan-and-exploit model, looking for targets of opportunity with unpatched vulnerabilities in internet-exposed Microsoft Exchange servers. The group continues to use a diverse open-source toolset supplemented with several custom applications, including its Sponsor backdoor. Defenders would be well advised to patch any internet-exposed devices and remain vigilant for new applications popping up within their organizations,” ESET said.

Back to the list

Latest Posts

Cybersecurity Week in Review: January 24, 2025

Cybersecurity Week in Review: January 24, 2025

In brief: SonicWall SMA zero-day exploited in attacks, hackers are exploiting older Ivanti flaws, and more.
24 January 2025
AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

The attacks have been active since June 2024.
23 January 2025
SonicWall SMA zero-day exploited in attacks

SonicWall SMA zero-day exploited in attacks

SonicWall has released a patch in version 12.4.3-02854 and higher versions to address the issue.
23 January 2025