Iranian hackers backdoor 34 orgs with new Sponsor malware

Trending 2 weeks ago
  1. Home
  2. Technology
  3. Iranian hackers backdoor 34 orgs with new Sponsor malware

Hacker starting astatine machine screens

A nation-state threat character known arsenic 'Charming Kitten' (Phosphorus, TA453, APT35/42) has been observed deploying a antecedently chartless backdoor malware named 'Sponsor' against 34 companies astir nan globe.

One of nan notable features of nan Sponsor backdoor is that it hides its different innocuous configuration files connected nan victim's disk truthful they tin beryllium discreetly deployed by malicious batch scripts, successfully evading detection.

The run identified by ESET researchers spanned betwixt March 2021 and June 2022, targeting authorities and healthcare orgs and firms engaged successful financial services, engineering, manufacturing, technology, law, telecommunications, and more.

The astir targeted countries successful nan run observed by ESET are Israel, Brazil, and nan United Arab Emirates.

Campaign milestonesCampaign milestones (ESET)

Targeting Microsoft Exchange flaws

ESET reports that Charming Kitten chiefly exploited CVE-2021-26855, a Microsoft Exchange distant codification execution vulnerability, to summation first entree to its targets' networks.

From there, nan hackers utilized various open-source devices that facilitate information exfiltration, strategy monitoring, and web infiltration and besides thief nan attackers support entree to nan compromised computers.

Open root devices utilized by nan hackersOpen root devices utilized by nan hackers (ESET)

Before deploying nan Sponsor backdoor, nan last payload seen successful these attacks, nan hackers driblet batch files connected circumstantial record paths connected nan big machine, which writes nan required configuration files.

These files are named config.txt, node.txt, and error.txt to blend successful pinch regular files and debar raising suspicions.

The Sponsor backdoor

Sponsor is simply a C++ backdoor that creates a work upon motorboat arsenic instructed by nan configuration file, which besides contains encrypted bid and power (C2) server addresses, C2 contacting intervals, and nan RC4 decryption key.

The malware gathers strategy accusation for illustration nan OS build (32 aliases 64-bit) powerfulness root (battery aliases plug) and sends it to nan C2 via larboard 80, receiving a node ID back, which is written to nan configuration file.

System info Sponsor collects upon launchSystem info Sponsor collects upon launch (ESET)

Next, nan Sponsor backdoor enters a loop wherever it contacts nan C2 successful clip intervals defined by nan configuration record to get commands for execution connected nan host.

Here's a database of nan supported commands:

  • Sends moving Sponsor process ID.
  • Executes a specified bid connected Sponsor big and reports results to nan C2 server.
  • Receives and runs a record from C2 pinch various parameters and communicates occurrence aliases errors to C2.
  • Downloads and runs a record via Windows API and reports to C2.
  • Runs Uninstall.bat from nan existent directory.
  • Sleeps randomly earlier reconnecting pinch nan C2 server.
  • Updates C&Cs database successful config.txt and reports to C2.
  • Adjusts check-in interval successful config.txt and reports to C2.

ESET has besides seen a 2nd type of Sponsor, which features codification optimizations and a furniture of disguise that makes it look arsenic an updater tool.

Although nary of nan IP addresses utilized successful this run are online anymore, ESET has shared afloat IOCs to thief take sides against imaginable early threats that reuse immoderate of nan devices aliases infrastructure Charming Kitten deployed successful that campaign.

Related Article

New WiKI-Eve attack can steal numerical passwords over WiFi

New WiKI-Eve attack can steal numerical passwords over WiFi

2 weeks ago
Google fixes another Chrome zero-day bug exploited in attacks

Google fixes another Chrome zero-day bug exploited in attacks

2 weeks ago
Microsoft will block 3rd-party printer drivers in Windows Update

Microsoft will block 3rd-party printer drivers in Windows Update

2 weeks ago
MGM Resorts shuts down IT systems after cyberattack

MGM Resorts shuts down IT systems after cyberattack

2 weeks ago
CISA warns govt agencies to secure iPhones against spyware attacks

CISA warns govt agencies to secure iPhones against spyware attacks

2 weeks ago
Square: Last week’s outage was caused by DNS issue, not a cyberattack

Square: Last week’s outage was caused by DNS issue, not a cyberattack

2 weeks ago

Trending

1. Ryder Cup schedule
2. Michael Gambon
3. Hyundai recall
4. Chris Christie
5. Tim Scott
6. Vivek Ramaswamy
7. Inter Miami vs Houston Dynamo
8. The Wonderful Story of Henry Sugar
9. Bruce Springsteen
10. Quest 3

Popular Article

OpenAI boss Sam Altman receives Indonesia's first golden visa

OpenAI boss Sam Altman receives Indonesia's first golden visa

2 weeks ago
3 sci-fi movies on Prime Video you need to watch in September

3 sci-fi movies on Prime Video you need to watch in September

2 weeks ago
Morgan Stanley values Tesla's super-hyped supercomputer at up to $500B

Morgan Stanley values Tesla's super-hyped supercomputer at up to $500B

2 weeks ago
Square: Last week’s outage was caused by DNS issue, not a cyberattack

Square: Last week’s outage was caused by DNS issue, not a cyberattack

2 weeks ago
Iranian hackers backdoor 34 orgs with new Sponsor malware

Iranian hackers backdoor 34 orgs with new Sponsor malware

2 weeks ago
Billions of 'custobots' are coming online. Marketers may need to learn SEO for AI

Billions of 'custobots' are coming online. Marketers may need to learn SEO for AI

2 weeks ago
English (US) English (US) · Indonesian (ID) Indonesian (ID) ·
About Us · Contact Us · Terms & Conditions · Disclaimer ·

©2023 PAK MEDIA BLOG.
All Rights Reserved.