Iranian hacker group spies on companies

September 11, 2023

Ballistic Bobcat deploys new backdoor “Sponsor” against unpatched networks

The highly dangerous hacker group Ballistic Bobcat, which originated in Iran, has been attacking organisations in various industries in several countries since September 2021. The majority of the 34 affected businesses are located in Israel, but also in Brazil and the United Arab Emirates. The criminals’ goal: to hijack valuable data in the industrial, financial, media, healthcare and telecommunications sectors. They are using a new backdoor called Sponsor, which was discovered by the team led by ESET researcher Adam Burgher.

How Ballistic Bobcat operates

The hacker group’s approach serves as a prime example of why companies should urgently implement vulnerability management. Ballistic Bobcat ran a so-called “scan exploit campaign”, in which companies are automatically analysed on the internet for unpatched vulnerabilities. In this case, it was the long known vulnerability CVE-2021-26855 in Microsoft Exchange Servers. If this gap was open in organisations, hackers had a foot in the door and could install further malware. As ESET telemetry shows, this has been in use since September 2021.
Adam Burgher assumes that this was not a targeted campaign, but a broadly distributed attack. There are hardly any commonalities among the victims apart from the security vulnerability. Moreover, some organisations did not even possess any worthwhile information for hackers.
Another interesting fact is that Ballistic Bobcat was not the only attacker in the network of almost half of the affected companies. ESET found evidence that other hacker groups had previously exploited the vulnerability for their own purposes.
“Ballistic Bobcat uses a diverse, open-source toolset. This includes a number of custom applications, including Sponsor. Businesses would be well advised to patch all devices with internet access and watch out for new applications appearing in their organisations,” advises Burgher.

Hacking group has been active for some time

Ballistic Bobcat, also known as APT35/APT42 (“Charming Kitten” or PHOSPHORUS), has targeted education, government and health organisations as well as human rights activists and journalists in the past. During the pandemic, organisations that dealt with COVID-19, including the World Health Organisation and Gilead Pharmaceuticals, as well as medical research workers, were particularly targeted.
For more technical information about Ballistic Bobcat and its sponsorship access campaign, see the blog post “Sponsor with whiskers: Ballistic Bobcat’s Scan and Strike Backdoor” on WeLiveSecurity . You can read more about patch management in the ESET blog “The renaissance of patch management”.

Related Articles

Smart Cities market predicted to top $1,100 billion by 2028

Smart Cities market predicted to top $1,100 billion by 2028

The adoption of smart cities has witnessed a remarkable surge in recent years, driven by advancements in technology, growing urbanisation, and increasing recognition of the benefits of smart solutions.  This market is, according to the latest research from...

One year of Cell Broadcast in Baden-Württemberg

One year of Cell Broadcast in Baden-Württemberg

Minister Thomas Strobl: "The last 12 months have shown that cell broadcasting enables us to reach a large number of people quickly and easily in an emergency" "In the event of imminent danger or damage, it is crucial that we warn the population and give people...

Share This