🛡 H3lium@infosec.exchange/:~# :blinking_cursor:<p>"🔍 Charming Kitten Strikes with 'Sponsor' Malware! 🕵️"<br>The notorious APT group 'Charming Kitten' (also known as Phosphorus, TA453, APT35/42) has unveiled a new backdoor malware named 'Sponsor'. This malware has already targeted 34 global companies. Stay vigilant! 🌍🔥</p><p>A nation-state threat actor, known by various aliases including 'Charming Kitten,' 'Phosphorus,' 'TA453,' and 'APT35/42,' has recently executed a sophisticated cyber campaign using a previously undisclosed backdoor malware named 'Sponsor.' ESET researchers have identified this campaign, which targeted 34 companies worldwide between March 2021 and June 2022, encompassing government and healthcare organizations, financial services, engineering, manufacturing, technology, law, telecommunications, and more. The primary targets were located in Israel, Brazil, and the United Arab Emirates.</p><p><strong>Key Findings:</strong></p><ol><li><p><strong>Concealed Configuration Files:</strong> The 'Sponsor' backdoor is notable for its ability to hide configuration files on the victim's system, making it stealthy and difficult to detect. These files are deployed discreetly through malicious batch scripts.</p></li><li><p><strong>Initial Access via Microsoft Exchange Vulnerability:</strong> The threat actor primarily exploited the CVE-2021-26855 vulnerability in Microsoft Exchange to gain initial access to targeted networks.</p></li><li><p><strong>Tool Usage:</strong> Charming Kitten utilized various open-source tools for data exfiltration, system monitoring, network infiltration, and maintaining access to compromised computers.</p></li><li><p><strong>Payload Deployment:</strong> Prior to deploying the 'Sponsor' backdoor, the attackers dropped batch files on specific file paths, creating seemingly innocuous files named config.txt, node.txt, and error.txt to avoid arousing suspicion.</p></li><li><p><strong>Functionality of 'Sponsor' Backdoor:</strong> 'Sponsor' is a C++ backdoor that establishes a service upon launch based on instructions from the configuration file. The configuration file contains encrypted command and control (C2) server addresses, C2 contacting intervals, and the RC4 decryption key. The malware collects system information and sends it to the C2, receiving a unique node ID in return. It then enters a loop to receive and execute commands from the C2, including process ID reporting, command execution, file retrieval and execution, and more.</p></li><li><p><strong>Disguised Second Version:</strong> ESET identified a second version of 'Sponsor' with code optimizations and camouflage features, making it appear as an updater tool.</p></li><li><p><strong>Indicators of Compromise (IOCs):</strong> Although the IP addresses used in this campaign are no longer active, ESET has shared comprehensive IOCs to assist in defending against potential future threats that may reuse the tools or infrastructure deployed by Charming Kitten.</p></li></ol><p>Organizations worldwide, particularly those in the targeted sectors and regions, should remain vigilant and ensure their cybersecurity defenses are up-to-date and capable of detecting advanced threats like 'Sponsor' used by nation-state actors like Charming Kitten. Regular patching and network monitoring are essential to mitigate such cyber risks.</p><p>Source: <a href="https://www.bleepingcomputer.com/news/security/iranian-hackers-backdoor-34-orgs-with-new-sponsor-malware/" rel="nofollow noopener" target="_blank">BleepingComputer.com</a><br><a href="https://attack.mitre.org/groups/G0059/" rel="nofollow noopener" target="_blank">Mitre - Charming Kitten</a><br>Tags: <a href="https://infosec.exchange/tags/APT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>APT</span></a> <a href="https://infosec.exchange/tags/CharmingKitten" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CharmingKitten</span></a> <a href="https://infosec.exchange/tags/SponsorMalware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SponsorMalware</span></a> <a href="https://infosec.exchange/tags/CyberAttack" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberAttack</span></a></p>