Sponsor Backdoor

Malware updated 23 days ago (2024-11-29T14:37:40.948Z)
Download STIX
Preview STIX
The Sponsor backdoor is a malicious software (malware) designed and coded by Ballistic Bobcat. This malware obfuscates data before sending it to the Command & Control (C&C) server, employing innocuous configuration files and a modular approach to evade scans. The Sponsor backdoor, a version of PowerLess, a backdoor first documented in 2021, has been deployed mainly against organizations in Israel across various sectors including automotive, engineering, financial services, healthcare, manufacturing, media, technology, and telecommunications since 2021. This activity by Ballistic Bobcat using the Sponsor backdoor has been named the "Sponsoring Access" campaign. Ballistic Bobcat exploited Microsoft Exchange vulnerabilities, often opportunistically, in the Sponsoring Access campaign. The group deployed batch files to victims' systems moments before deploying the Sponsor backdoor. These tactics have been frequently used by Ballistic Bobcat for over two years, alongside open-source tools on compromised systems. There's a clear pattern in tool development as Ballistic Bobcat and Sponsor backdoor campaigns overlap. The Sponsor backdoor uses configuration files stored on disk, dropped by batch files, both of which are innocuous so as to bypass scanning engines. ESET researcher Adam Burgher noted this modular approach is one that Ballistic Bobcat has used quite often with modest success in the past two and a half years. As of the latest report, the Sponsor backdoor has been deployed to at least 34 victims in Brazil, Israel, and the United Arab Emirates.
Description last updated: 2024-05-04T16:59:32.708Z
What's your take? (Question 1 of 1)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Ballistic Bobcat Threat Actor is associated with Sponsor Backdoor. Ballistic Bobcat, also known as APT35, APT42, Charming Kitten, TA453, and Phosphorus, is a threat actor group believed to be aligned with Iran. The group has been active for several years, developing and deploying a series of backdoor exploits known as Sponsor (versions v1 through v4). Ballistic BobUnspecified
3