Sponsor Backdoor

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
The Sponsor backdoor is a malicious software (malware) designed and coded by Ballistic Bobcat. This malware obfuscates data before sending it to the Command & Control (C&C) server, employing innocuous configuration files and a modular approach to evade scans. The Sponsor backdoor, a version of PowerLess, a backdoor first documented in 2021, has been deployed mainly against organizations in Israel across various sectors including automotive, engineering, financial services, healthcare, manufacturing, media, technology, and telecommunications since 2021. This activity by Ballistic Bobcat using the Sponsor backdoor has been named the "Sponsoring Access" campaign. Ballistic Bobcat exploited Microsoft Exchange vulnerabilities, often opportunistically, in the Sponsoring Access campaign. The group deployed batch files to victims' systems moments before deploying the Sponsor backdoor. These tactics have been frequently used by Ballistic Bobcat for over two years, alongside open-source tools on compromised systems. There's a clear pattern in tool development as Ballistic Bobcat and Sponsor backdoor campaigns overlap. The Sponsor backdoor uses configuration files stored on disk, dropped by batch files, both of which are innocuous so as to bypass scanning engines. ESET researcher Adam Burgher noted this modular approach is one that Ballistic Bobcat has used quite often with modest success in the past two and a half years. As of the latest report, the Sponsor backdoor has been deployed to at least 34 victims in Brazil, Israel, and the United Arab Emirates.
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
PowerLess
1
Powerless is a malware that was deployed by Ballistic Bobcat in September 2021, as they were concluding the campaign documented in CISA Alert AA21-321A and the PowerLess campaign. The malware was introduced through a new backdoor, exploiting gaps left by traditional security measures which are often
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Exploit
Windows
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Ballistic BobcatUnspecified
3
Ballistic Bobcat, also known as APT35, APT42, Charming Kitten, TA453, and Phosphorus, is a threat actor group believed to be aligned with Iran. The group has been active for several years, developing and deploying a series of backdoor exploits known as Sponsor (versions v1 through v4). Ballistic Bob
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Sponsor Backdoor Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
10 months ago
New Sponsor Malware Attacking Government & Healthcare Organizations
BankInfoSecurity
10 months ago
Iranian Hackers 'Ballistic Bobcat' Deploy New Backdoor
CERT-EU
10 months ago
Iranian Cyberspies Deployed New Backdoor to 34 Organizations
CERT-EU
10 months ago
Iranian hackers target orgs in Brazil, Israel, and OAE with new Sponsor backdoor
CERT-EU
10 months ago
Charming Kitten's New Backdoor 'Sponsor' Targets Brazil, Israel, and U.A.E.
CERT-EU
10 months ago
Iranian Charming Kitten APT targets various entities in Brazil, Israel, and the U.A.E. using a new backdoor
CERT-EU
10 months ago
Charming Kitten's New Backdoor 'Sponsor' Targets Brazil, Israel, and U.A.E.
CERT-EU
10 months ago
Cyber Security Week in Review: September 15, 2023
ESET
10 months ago
Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor