A nation-state threat character known arsenic 'Charming Kitten' (Phosphorus, TA453, APT35/42) has been observed deploying a antecedently chartless backdoor malware named 'Sponsor' against 34 companies astir nan globe.
One of nan notable features of nan Sponsor backdoor is that it hides its different innocuous configuration files connected nan victim's disk truthful they tin beryllium discreetly deployed by malicious batch scripts, successfully evading detection.
The run identified by ESET researchers spanned betwixt March 2021 and June 2022, targeting authorities and healthcare orgs and firms engaged successful financial services, engineering, manufacturing, technology, law, telecommunications, and more.
The astir targeted countries successful nan run observed by ESET are Israel, Brazil, and nan United Arab Emirates.
Targeting Microsoft Exchange flaws
ESET reports that Charming Kitten chiefly exploited CVE-2021-26855, a Microsoft Exchange distant codification execution vulnerability, to summation first entree to its targets' networks.
From there, nan hackers utilized various open-source devices that facilitate information exfiltration, strategy monitoring, and web infiltration and besides thief nan attackers support entree to nan compromised computers.
Before deploying nan Sponsor backdoor, nan last payload seen successful these attacks, nan hackers driblet batch files connected circumstantial record paths connected nan big machine, which writes nan required configuration files.
These files are named config.txt, node.txt, and error.txt to blend successful pinch regular files and debar raising suspicions.
The Sponsor backdoor
Sponsor is simply a C++ backdoor that creates a work upon motorboat arsenic instructed by nan configuration file, which besides contains encrypted bid and power (C2) server addresses, C2 contacting intervals, and nan RC4 decryption key.
The malware gathers strategy accusation for illustration nan OS build (32 aliases 64-bit) powerfulness root (battery aliases plug) and sends it to nan C2 via larboard 80, receiving a node ID back, which is written to nan configuration file.
Next, nan Sponsor backdoor enters a loop wherever it contacts nan C2 successful clip intervals defined by nan configuration record to get commands for execution connected nan host.
Here's a database of nan supported commands:
- Sends moving Sponsor process ID.
- Executes a specified bid connected Sponsor big and reports results to nan C2 server.
- Receives and runs a record from C2 pinch various parameters and communicates occurrence aliases errors to C2.
- Downloads and runs a record via Windows API and reports to C2.
- Runs Uninstall.bat from nan existent directory.
- Sleeps randomly earlier reconnecting pinch nan C2 server.
- Updates C&Cs database successful config.txt and reports to C2.
- Adjusts check-in interval successful config.txt and reports to C2.
ESET has besides seen a 2nd type of Sponsor, which features codification optimizations and a furniture of disguise that makes it look arsenic an updater tool.
Although nary of nan IP addresses utilized successful this run are online anymore, ESET has shared afloat IOCs to thief take sides against imaginable early threats that reuse immoderate of nan devices aliases infrastructure Charming Kitten deployed successful that campaign.