HQ/EMEAFind out how we can help your business
The Charming Kitten threat group executed a series of targeted attacks using their new malicious tool called Sponsor Backdoor. The group donned many names, such as Ballistic Bobcat, APT35, and Phosphorus and became notorious for its cyber espionage campaigns.
Charming Kitten’s latest cybercriminal operation called ‘Sponsoring Access’ targets critical entities in multiple countries, such as the UAE, Israel, and Brazil. Most targeted organisations came from the academic, government, and healthcare sectors. The group has also compromised human rights activists and journalists using the same attack.
The primary objective of the attackers in this campaign is to harvest information from these organisations.
Charming Kitten employed an established method to breach their targets, such as exploiting known vulnerabilities in publicly accessible Microsoft Exchange servers. This common attack vector enabled the actors to breach the targeted networks, from where they launched their operations.
Next, this Iranian APT group use several open-source tools to execute their activities. The group’s confirmed tools include Mimikatz, WebBrowserPassView, Plink, and ProcDump. These malicious tools allow hackers to control their victims’ systems and data.
The Sponsor backdoor has already existed more than a couple of years ago.
The Sponsor backdoor is a critical part of Charming Kitten’s new operation since it provides different capabilities to its operators. The malware developers created the Sponsor backdoor as a seemingly harmless file that could bypass security detections. However, despite its modular approach, the malware operators have seen moderate success with their tool.
Still, Charming Kitten continues to look for potential targets and exploit unpatched vulnerabilities in publicly accessible Microsoft Exchange servers. Moreover, they maintain this strategy of using various open-source tools and custom-made apps, like Sponsor Backdoor.
Organisations should immediately protect their systems from these campaigns. They could fortify their defences by applying patches on any outdated or internet-exposed devices to reduce the risk of exploitation.
It is also important to remain vigilant and continually observe their networks for any signs of compromise. Every organisation should be knowledgeable and updated about the recent threat in the cybercriminal landscape to mitigate or prevent such campaigns, like the new Sponsoring Access operation.
