Iranian Charming Kitten APT targets numerous entities in Brazil, Israel, and the U.A.E. utilizing a brand new backdoor
September 12, 2023
Iran-linked APT group Charming Kitten used a beforehand undocumented backdoor named Sponsor in assaults in opposition to entities in Brazil, Israel, and the U.A.E.
ESET researchers noticed a sequence of assaults, carried out by the Iran-linked APT group Charming Kitten (aka Ballistic Bobcat APT, APT35, Phosphorus, Newscaster, TA453, and Ajax Security Team), that are focusing on numerous entities in Brazil, Israel, and the United Arab Emirates.
The Charming Kitten group made the headlines in 2014 when consultants at iSight issued a report describing essentially the most elaborate net-based spying marketing campaign organized by Iranian hackers utilizing social media.
Microsoft has been monitoring the menace actors at the least since 2013, however consultants imagine that the cyberespionage group has been energetic since at the least 2011 focusing on journalists and activists within the Middle East, in addition to organizations within the United States, and entities within the U.Ok., Israel, Iraq, and Saudi Arabia.
The recent assaults noticed by ESET are a part of a marketing campaign named Ballistic Bobcat and employed a beforehand undocumented backdoor named Sponsor. Sponsor is written in C++, it may well accumulate host info and working processes and execute instructions despatched by the operators.
The researchers found Sponsor whereas investigating a cyber assault on a system in Israel in May 2022.
ESET reported that the Sponsor backdoor was deployed to at the least 34 victims in Brazil, Israel, and the United Arab Emirates. The Sponsor backdoor has been used at the least since September 2021.
Most of the victims of the marketing campaign are training, authorities, and healthcare organizations, in addition to human rights activists and journalists.
Charming Kitten was noticed exploiting recognized vulnerabilities in internet-exposed Microsoft Exchange servers as an preliminary assault vector.
“Ballistic Bobcat obtained initial access by exploiting known vulnerabilities in internet-exposed Microsoft Exchange servers by first conducting meticulous scans of the system or network to identify potential weaknesses or vulnerabilities, and subsequently targeting and exploiting those identified weaknesses. The group has been known to engage in this behavior for some time.” reads the analysis revealed by ESET. “However, many of the 34 victims identified in ESET telemetry might best be described as victims of opportunity rather than preselected and researched victims, as we suspect Ballistic Bobcat engaged in the above-described scan-and-exploit behavior because it was not the only threat actor with access to these systems.”
The Sponsor backdoor employs configuration recordsdata saved on the disk, that are distributed by means of batch recordsdata. Both of those parts are designed to seem innocent to be able to evade detection.
The consultants speculate that batch recordsdata and configuration recordsdata are a part of the modular growth course of.
Once they’ve obtained access to the goal community, the Iranian APT makes use of a number of open-source instruments, comparable to Mimikatz, WebBrowserPassView, sqlextractor and ProcDump.
“Ballistic Bobcat continues to operate on a scan-and-exploit model, looking for targets of opportunity with unpatched vulnerabilities in internet-exposed Microsoft Exchange servers. The group continues to use a diverse open-source toolset supplemented with several custom applications, including its Sponsor backdoor. Defenders would be well advised to patch any internet-exposed devices and remain vigilant for new applications popping up within their organizations.” concludes the put up.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Charming Kitten)
