The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Charming Kitten Using Sponsor Backdoor

Sep 18, 2023 2:00:54 PM / by The Hivemind

Charming KittenVerticals Targeted: Automotive, Communications, Engineering, Financial Services, Healthcare, Insurance, Legal, Manufacturing, Retail, Technology, Telecommunications

Executive Summary

Charming Kitten, an Iran nexus threat actor group, was recently observed using Sponsor backdoor to target at least 34 entities in Brazil, Israel, and UAE.

Key Takeaways

  • Charming Kitten was recently observed using Sponsor backdoor to target at least 34 entities in Brazil, Israel, and the UAE.
  • Charming Kitten obtains initial access by exploiting known Microsoft Exchange vulnerabilities, including CVE-2021-26855.
  • Sponsor uses configuration files stored on disk that are discreetly deployed using batch files and are made to appear innocuous. 

What is Sponsor?

Charming Kitten, an Iran nexus threat actor group, was recently observed using Sponsor backdoor to target at least 34 entities in Brazil, Israel, and UAE. ESET reported on this activity and referred to it as the “Sponsoring Access” campaign.

Targeted entities were in multiple verticals, including automotive, communications, engineering, financial services, healthcare, insurance, legal, manufacturing, retail, technology, and telecommunications. ESET noted some of the Sponsor backdoor activity overlapped with the deployment of Charming Kitten’s PowerLess backdoor in 2021. Sponsor also piggybacked on some of the C2 infrastructure used for PowerLess.

In this campaign, Charming Kitten obtained initial access by exploiting known Microsoft Exchange vulnerabilities, including CVE-2021-26855. ESET believes the targets were targets of opportunity due to insecure configurations and noted some of the victims appeared to be compromised by more than one threat actor.

Sponsor backdoor, which is written in C++, is known to have multiple variants. In V2, the threat actors optimized the code and disguised Sponsor as an updater program. Sponsor uses configuration files stored on disk that are discreetly deployed using batch files and are made to appear innocuous. This allows the files to evade detection.

In addition to Sponsor, Charming Kitten deployed other tools on some of the victim systems, including Plink, Merlin agent, Host2IP, RevSocks, Mimikatz, GOST, ProcDump, Chisel, a password recovery tool, a tool to extract data from SQL databases, and Meterpreter reverse shells.

Who is Charming Kitten?

Charming Kitten, also known as APT35, Phosphorus, Newscaster, TA453, Cobalt Illusion, Magic Hound, Ballistic Bobcat, and ITG18, is an Iran nexus state-sponsored threat actor group tentatively linked to the Islamic Revolutionary Guard Corps. Charming Kitten has previously targeted government and military personnel, academics, journalists, and the World Health Organization. Targets were mostly located in the US and the Middle East. The group has been active since at least 2014.

Charming Kitten TTPs include but are not limited to social engineering, use of compromised email accounts, targeted phishing attacks, using Amazon S3 buckets and IRC for C2, leveraging Log4j vulnerabilities, watering hole attacks, Havij, sqlmap, Metasploit, Mimikatz, CharmPower, DownPaper, PsExec, PowerLess, and Pupy. Charming Kitten is known for its moderate skill level, easily recognizable TTPs, expansive infrastructure, and notoriously sloppy OPSEC.

IOCs

PolySwarm has multiple samples of Sponsor.

 

C4dbda41c726af9ba3d9224f2e38fc433d2b60f4a23512437adeae8ef8986c57

2a99cf7d73d453f3554e24bf3efa49d8109da9e8543db815a8f813559d083f8f

5e0f28bd2d49b73e96a87f5c20283ebe030f4bb39b3107d4d68015dce862991d

828e81aa16b2851561fff6d3127663ea2d1d68571f06cbd732fdf5672086924d

Aac08c6f7474c979acf2a3aef1f2727820ece755001530cdebf346b5d1ae2ccb

E2b74ed355d68bed2e7242baecccd7eb6eb480212d6cc54526bc4ff7e6f57629

E5ee874bd59bb2a6dec700686544e7914312abff166a7390b34f7cb29993267a

F999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

4afa5fde76f1f3030cf7dbd12e37b717e1f902ac95c8bdf54a2e58a64faade04

2c7a96d79b97ec59ff8d18f5bb6404c36af25c513428a82db429b6e5648db2b3

f4c8369e4de1f12cc5a71eb5586b38fc78a9d8db2b189b8c25ef17a572d4d6b7

 

You can use the following CLI command to search for all Sponsor samples in our portal:

$ polyswarm link list -f Sponsor

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

 

Topics: Threat Bulletin, Middle East, Iran, Charming Kitten, Sponsor

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts