A previously unidentified backdoor malware, dubbed 'Sponsor', has been deployed by the Iranian nation-state threat actor group known as 'Charming Kitten' against 34 companies worldwide. The malware's distinctive feature is its ability to hide its configuration files on the victim's disk, allowing it to be deployed discreetly by malicious batch scripts and evade detection.
The campaign, which was identified by researchers at ESET, ran from March 2021 to June 2022. It targeted organizations in the government and healthcare sectors, as well as companies involved in financial services, engineering, manufacturing, technology, law, and telecommunications. The countries most targeted in this campaign were Israel, Brazil, and the United Arab Emirates.
The primary method of initial access for Charming Kitten was the exploitation of CVE-2021-26855, a Microsoft Exchange remote code execution vulnerability. After gaining access, the hackers used a variety of open-source tools to facilitate data exfiltration, system monitoring, and network infiltration, and to maintain access to the compromised systems.
Before deploying the Sponsor backdoor, the hackers would drop batch files on specific paths on the host machine, which would then write the necessary configuration files. These files, named config.txt, node.txt, and error.txt, were designed to blend in with regular files and avoid arousing suspicion.
Sponsor is a C++ backdoor that, upon launch, creates a service as instructed by the configuration file. This file also contains encrypted command and control (C2) server addresses, C2 contacting intervals, and the RC4 decryption key. The malware collects system information and sends it to the C2 via port 80, receiving a node ID back, which is written to the configuration file. The Sponsor backdoor then enters a loop where it contacts the C2 at intervals defined by the configuration file to receive commands for execution on the host.
A second version of Sponsor has been observed by ESET, featuring code optimizations and a disguise layer that makes it appear as an updater tool. While none of the IP addresses used in this campaign are currently online, ESET has shared full Indicators of Compromise (IOCs) to help defend against potential future threats that reuse some of the tools or infrastructure deployed in this campaign by Charming Kitten.
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.
By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.
Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.