Ballistic Bobcat APT group targeting organizations across Brazil, Israel, UAE using novel backdoor

ESET researchers disclosed on Monday a Ballistic Bobcat campaign using a novel backdoor that they have named ‘Sponsor,’ has been targeting various entities across Brazil, Israel, and the United Arab Emirates. The backdoor was discovered after the researchers analyzed an ‘interesting sample’ on a victim’s system in Israel last May and scoped the victim set by country. Upon examination, it became evident to ESET that the sample was a novel backdoor deployed by the Ballistic Bobcat APT (advanced persistent threat) group.

“Ballistic Bobcat, previously tracked by ESET Research as APT35/APT42 (aka Charming Kitten, TA453, or PHOSPHORUS), is a suspected Iran-aligned advanced persistent threat group that targets education, government, and healthcare organizations, as well as human rights activists and journalists,” Adam Burgher, an ESET researcher, wrote in a company blog post on Monday. “It is most active in Israel, the Middle East, and the United States. Notably, during the pandemic, it was targeting COVID-19-related organizations, including the World Health Organization and Gilead Pharmaceuticals, and medical research personnel.”

Last month, the Bundesamt für Verfassungsschutz (BfV), one of three intelligence services of the German Federation, released an advisory on cyber espionage against critics of the Iranian regime in the country. Based on its current intelligence, BfV assumes that the attacker APT group Charming Kitten is concretely involved in espionage activities against Iranian individuals and organizations in Germany. To this end, the hacker group uses elaborate social engineering and online identities that are tailor-made to target victims.

Burgher further identified that overlaps between Ballistic Bobcat campaigns and Sponsor backdoor versions show a fairly clear pattern of tool development and deployment, with narrowly targeted campaigns, each of limited duration. “We subsequently discovered four other versions of the Sponsor backdoor. In total, we saw Sponsor deployed to at least 34 victims in Brazil, Israel, and the United Arab Emirates,” he added. 

Ballistic Bobcat obtained initial access by exploiting known vulnerabilities in internet-exposed Microsoft Exchange servers by first conducting meticulous scans of the system or network to identify potential weaknesses or vulnerabilities, and subsequently targeting and exploiting those identified weaknesses, the ESET post said. 

“The group has been known to engage in this behavior for some time,” Burgher wrote. “However, many of the 34 victims identified in ESET telemetry might best be described as victims of opportunity rather than preselected and researched victims, as we suspect Ballistic Bobcat engaged in the above-described scan-and-exploit behavior because it was not the only threat actor with access to these systems. We have named this Ballistic Bobcat activity utilizing the Sponsor backdoor the Sponsoring Access campaign.”

Burgher identified that the Sponsor backdoor uses configuration files on disk, dropped by batch files, and both are innocuous so as to bypass scanning engines. “This modular approach is one that Ballistic Bobcat has used quite often and with modest success in the past two and a half years. On compromised systems, Ballistic Bobcat also continues to use a variety of open-source tools.”

“We were able to identify a likely means of initial access for 23 of the 34 victims that we observed in ESET telemetry,” the ESET post disclosed. “Similar to what was reported in the PowerLess and CISA reports, Ballistic Bobcat probably exploited a known vulnerability, CVE-2021-26855, in Microsoft Exchange servers to gain a foothold on these systems.”

It added that for 16 of the 34 victims, “it appears Ballistic Bobcat was not the only threat actor with access to their systems. This may indicate, along with the wide variety of victims and the apparent lack of obvious intelligence value of a few victims, that Ballistic Bobcat engaged in scan-and-exploit behavior, as opposed to a targeted campaign against preselected victims.”

Burgher also wrote that Ballistic Bobcat employed a number of open-source tools during the Sponsoring Access campaign. “Ballistic Bobcat deployed batch files to victims’ systems moments before deploying the Sponsor backdoor. Unfortunately, we were unable to obtain any of these batch files. However, we believe they write innocuous configuration files to disk, which the Sponsor backdoor requires to function fully. These configuration filenames were taken from the Sponsor backdoors but were never collected – config[dot]txt, node[dot]txt, error[dot]txt, and Uninstall[dot]bat.”

The researchers added that they believe that the batch files and configuration files are part of the modular development process that Ballistic Bobcat has favored over the past few years. 

Ballistic Bobcat coders made code revisions between Sponsor v1 and v2, Burgher disclosed. “The two most significant changes in the latter are optimization of code where several longer functions were minimized into functions and subfunctions and disguising sponsor as an updater program.”

In addition to piggybacking on the C&C infrastructure used in the PowerLess campaign, Ballistic Bobcat also introduced a new C&C server, the post revealed. “The group also utilized multiple IPs to store and deliver support tools during the Sponsoring Access campaign. We have confirmed that none of these IPs are in operation at this time.”

In conclusion, Burgher said that Ballistic Bobcat continues to operate on a scan-and-exploit model, looking for targets of opportunity with unpatched vulnerabilities in internet-exposed Microsoft Exchange servers. “The group continues to use a diverse open-source toolset supplemented with several custom applications, including its Sponsor backdoor. Defenders would be well advised to patch any internet-exposed devices and remain vigilant for new applications popping up within their organizations.”

The U.K.’s National Cyber Security Centre (NCSC) disclosed in January that Russia-based SEABORGIUM and Iran-based TA453 hacker groups continue to use spear-phishing attacks against targeted organizations and individuals in the U.K., and other areas of interest, primarily for information gathering activity. Throughout 2022, SEABORGIUM and TA453 targeted sectors, including academia, defense, governmental organizations, NGOs, and think tanks, as well as politicians, journalists, and activists.

Last week, U.S. agencies published a joint advisory to highlight the presence of indicators of compromise (IOCs) at an aeronautical sector organization as early as January 2023. The document confirms nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network. The vulnerability allows for remote code execution (RCE) on the ManageEngine application.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.