Sponsor Backdoor

Malware updated 7 months ago (2024-05-04T20:18:40.529Z)

Download STIX

Preview STIX

The Sponsor backdoor is a malicious software (malware) designed and coded by Ballistic Bobcat. This malware obfuscates data before sending it to the Command & Control (C&C) server, employing innocuous configuration files and a modular approach to evade scans. The Sponsor backdoor, a version of PowerLess, a backdoor first documented in 2021, has been deployed mainly against organizations in Israel across various sectors including automotive, engineering, financial services, healthcare, manufacturing, media, technology, and telecommunications since 2021. This activity by Ballistic Bobcat using the Sponsor backdoor has been named the "Sponsoring Access" campaign. Ballistic Bobcat exploited Microsoft Exchange vulnerabilities, often opportunistically, in the Sponsoring Access campaign. The group deployed batch files to victims' systems moments before deploying the Sponsor backdoor. These tactics have been frequently used by Ballistic Bobcat for over two years, alongside open-source tools on compromised systems. There's a clear pattern in tool development as Ballistic Bobcat and Sponsor backdoor campaigns overlap. The Sponsor backdoor uses configuration files stored on disk, dropped by batch files, both of which are innocuous so as to bypass scanning engines. ESET researcher Adam Burgher noted this modular approach is one that Ballistic Bobcat has used quite often with modest success in the past two and a half years. As of the latest report, the Sponsor backdoor has been deployed to at least 34 victims in Brazil, Israel, and the United Arab Emirates.

Description last updated: 2024-05-04T16:59:32.708Z

What's your take? (Question 1 of 1)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Ballistic Bobcat Threat Actor is associated with Sponsor Backdoor. Ballistic Bobcat, also known as APT35, APT42, Charming Kitten, TA453, and Phosphorus, is a threat actor group believed to be aligned with Iran. The group has been active for several years, developing and deploying a series of backdoor exploits known as Sponsor (versions v1 through v4). Ballistic Bob	Unspecified	3

Source Document References

Information about the Sponsor Backdoor Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	New Sponsor Malware Attacking Government & Healthcare Organizations
BankInfoSecurity	a year ago	Iranian Hackers 'Ballistic Bobcat' Deploy New Backdoor
CERT-EU	a year ago	Iranian Cyberspies Deployed New Backdoor to 34 Organizations
CERT-EU	a year ago	Iranian hackers target orgs in Brazil, Israel, and OAE with new Sponsor backdoor
CERT-EU	a year ago	Charming Kitten's New Backdoor 'Sponsor' Targets Brazil, Israel, and U.A.E.
CERT-EU	a year ago	Iranian Charming Kitten APT targets various entities in Brazil, Israel, and the U.A.E. using a new backdoor
CERT-EU	a year ago	Charming Kitten's New Backdoor 'Sponsor' Targets Brazil, Israel, and U.A.E.
CERT-EU	a year ago	Cyber Security Week in Review: September 15, 2023
ESET	a year ago	Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor