Cyber espionage: new Sponsor backdoor hits various industries

An Iran-linked cyber spy group called Charming Kitten has infected at least 34 victims in Brazil, Israel and the United Arab Emirates with a new backdoor.

Activities of cyber spies linked to Iran

Charming Kitten, also known as APT42, Ballistic Bobcat, Mint Sandstorm and NewsBeef, has been active for over a decade and is alleged to be acting on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC). The group targeted activists, government organizations and journalists.

The new Sponsor backdoor

The cyber spy group recently used a new backdoor called Sponsor. This malware has primarily been employed against organizations across various industries, including automotive, engineering, financial services, healthcare, manufacturing, media, technology, and telecommunications. Sponsor exploits known vulnerabilities in Microsoft Exchange servers to gain initial access.

The scanning and exploitation operation

While many of the identified targets have no obvious intelligence value, it appears that the attacks are not targeted, but rather a scan and exploit operation. In fact, out of 34 identified victims, 16 were also compromised by other threat actors. Sponsor is written in C++ and runs as a persistent service that communicates with control servers to receive commands. The cyber spy group continues to use a diverse set of open source tools, complemented by some custom applications, including the Sponsor backdoor. Experts recommend securing devices exposed to the Internet through patching and remaining vigilant for any new suspicious applications within your organizations.