A nation-state risk actor often known as ‘Charming Kitten’ (Phosphorus, TA453, APT35/42) has been noticed deploying a beforehand unknown backdoor malware named ‘Sponsor’ in opposition to 34 corporations across the globe.
One of the notable options of the Sponsor backdoor is that it hides its in any other case innocuous configuration recordsdata on the sufferer’s disk to allow them to be discreetly deployed by malicious batch scripts, efficiently evading detection.
The marketing campaign recognized by ESET researchers spanned between March 2021 and June 2022, concentrating on authorities and healthcare orgs and companies engaged in monetary companies, engineering, manufacturing, expertise, legislation, telecommunications, and extra.
The most focused international locations within the marketing campaign noticed by ESET are Israel, Brazil, and the United Arab Emirates.
Targeting Microsoft Exchange flaws
ESET reviews that Charming Kitten primarily exploited CVE-2021-26855, a Microsoft Exchange distant code execution vulnerability, to realize preliminary access to its targets’ networks.
From there, the hackers used varied open-source instruments that facilitate information exfiltration, system monitoring, and community infiltration and in addition assist the attackers preserve access to the compromised computer systems.
Before deploying the Sponsor backdoor, the ultimate payload seen in these assaults, the hackers drop batch recordsdata on particular file paths on the host machine, which writes the required configuration recordsdata.
These recordsdata are named config.txt, node.txt, and error.txt to mix in with common recordsdata and keep away from elevating suspicions.
The Sponsor backdoor
Sponsor is a C++ backdoor that creates a service upon launch as instructed by the configuration file, which additionally incorporates encrypted command and management (C2) server addresses, C2 contacting intervals, and the RC4 decryption key.
The malware gathers system data just like the OS build (32 or 64-bit) energy supply (battery or plug) and sends it to the C2 through port 80, receiving a node ID again, which is written to the configuration file.
Next, the Sponsor backdoor enters a loop the place it contacts the C2 in time intervals outlined by the configuration file to accumulate instructions for execution on the host.
Here’s a listing of the supported instructions:
- Sends operating Sponsor course of ID.
- Executes a specified command on Sponsor host and reviews outcomes to the C2 server.
- Receives and runs a file from C2 with varied parameters and communicates success or errors to C2.
- Downloads and runs a file through Windows API and reviews to C2.
- Runs Uninstall.bat from the present listing.
- Sleeps randomly earlier than reconnecting with the C2 server.
- Updates C&Cs checklist in config.txt and reviews to C2.
- Adjusts check-in interval in config.txt and reviews to C2.
ESET has additionally seen a second model of Sponsor, which options code optimizations and a layer of disguise that makes it seem as an updater software.
Although not one of the IP addresses used on this marketing campaign are on-line anymore, ESET has shared full IOCs to assist defend in opposition to potential future threats that reuse among the instruments or infrastructure Charming Kitten deployed in that marketing campaign.