Iranian Hackers ‘Ballistic Bobcat’ Deploy New Backdoor – Source: www.databreachtoday.com

Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime

Hackers Likely Exploited ProxyLogon to Gain Access, Says Eset

Akshaya Asokan (asokan_akshaya) •
September 12, 2023    

Hackers aligned with the Iranian state are targeting vulnerable Microsoft Exchange Servers to deploy a new malware backdoor that has already victimized over two dozen Israeli organizations as part of an ongoing espionage campaign.

See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense

The campaign has been active since 2021 and uses a previously unseen malware backdoor that researchers at Eset dubbed Sponsor. The cybersecurity firm tracks the hacking group as “Ballistic Bobcat.” It is also known as Charming Kitten, APT35 and Mint Sandstorm – formerly known as Phosphorus. The group has spied on journalists, defense contractors and diplomats.

In the latest campaign, the group targeted 32 organizations in Israel, and two other victims were spotted in the Middle East and Brazil. Among the indicators Eset said led it to attributing the attacks to Ballistic Bobcat is an active command-and-control server with an IP address of 162.55.137.20, the same that the U.S. Cybersecurity and Infrastructure Security Agency in late 2021 flagged as infrastructure belonging to Iranian government-sponsored hackers.

The Sponsor backdoor is a version of PowerLess, a Ballistic Bobcat backdoor first documented in 2021.

The hackers’ initial access point into systems likely was a widely exploited Exchange flaw uncovered in 2021 designated as CVE-2021-26855 and known as ProxyLogon. Once the group gained initial access, it began to drop batch files to evade detection.

“Many of the 34 victims identified in Eset telemetry might best be described as victims of opportunity rather than preselected and researched victims,” the report says.

The group deployed a range of open-source tools including Plink for automated logins and a post-exploitation framework called MerlinAgent, which the group disguised as software updates to avoid its potential detection.