ESET’s Latest Discovery Sheds Light on Ballistic Bobcat’s Persistent Cyberespionage Efforts

Geographical distribution of entities targeted by Ballistic Bobcat with the Sponsor backdoor

(IN BRIEF) ESET researchers have uncovered a cyberespionage campaign led by the Ballistic Bobcat group, suspected of having Iranian ties, which primarily targets education, government, healthcare, and various organizations worldwide. In their latest campaign, they introduced a new backdoor called “Sponsor.” Surprisingly, 16 out of 34 victims showed signs of multiple threat actors accessing their systems, suggesting a scan-and-exploit approach rather than specific targeting. Ballistic Bobcat continues to exploit unpatched vulnerabilities in internet-exposed Microsoft Exchange servers. The Sponsor backdoor uses innocuous batch files to deploy configuration files, making it hard to detect. This backdoor was introduced in September 2021 and was active during the pandemic, targeting COVID-19-related organizations and medical research personnel. This discovery highlights the persistent threat posed by cyberespionage.

(PRESS RELEASE) BRATISLAVA/ MONTREAL, 11-Sep-2023 — /EuropaWire/ — ESET, a Slovak internet security company known for its anti-virus and firewall products, announces that its researchers have uncovered a sophisticated cyberespionage campaign orchestrated by the Ballistic Bobcat group, unveiling a novel backdoor named Sponsor. Ballistic Bobcat, previously known as APT35/APT42 (also recognized as Charming Kitten, TA453, or PHOSPHORUS), is a suspected Iran-aligned advanced persistent threat group with a history of targeting education, government, healthcare organizations, human rights activists, and journalists. Its primary focus lies in cyberespionage, with a strong presence in Israel, the Middle East, and the United States. Notably, the majority of its 34 identified victims were located in Israel, while two were in Brazil and the UAE. Industries targeted in Israel span automotive, manufacturing, engineering, financial services, media, healthcare, technology, and telecommunications.

Surprisingly, 16 of the 34 victims in the recently discovered campaign, named Sponsoring Access, showed signs of multiple threat actors having access to their systems. This suggests that Ballistic Bobcat may have engaged in scan-and-exploit tactics rather than specifically targeting preselected victims.

Ballistic Bobcat continues its pursuit of targets of opportunity, focusing on unpatched vulnerabilities in internet-exposed Microsoft Exchange servers.

“The group continues to use a diverse, open-source toolset supplemented with several custom applications, including the newly discovered Sponsor backdoor. Defenders would be well advised to patch any internet-exposed devices and remain vigilant for new applications popping up within their organizations,” says ESET researcher Adam Burgher, who discovered the Sponsor backdoor and analyzed the latest Ballistic Bobcat campaign.

The Sponsor backdoor relies on discreet configuration files stored on disk, deployed through batch files meticulously designed to appear innocuous, aiming to evade detection by scanning engines. Ballistic Bobcat introduced this new backdoor in September 2021, coinciding with the conclusion of their previously documented campaign, CISA Alert AA21-321A, and the PowerLess campaign.

During the height of the COVID-19 pandemic, Ballistic Bobcat extended its reach to target COVID-19-related organizations, including the World Health Organization and Gilead Pharmaceuticals, as well as medical research personnel.

For in-depth technical insights into Ballistic Bobcat’s Sponsoring Access campaign, refer to the blogpost, “Sponsor with Batch-filed Whiskers: Ballistic Bobcat’s Scan and Strike Backdoor,” on WeLiveSecurity. Stay updated with the latest developments from ESET Research by following them on Twitter (now known as X).

About ESET

For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure, and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET’s high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET’s R&D centers worldwide, working in support of our shared future. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and Twitter.

Media contact:

Rebecca Kiely
Director of Global PR
Tel: +421 (2) 322 44 111
Fax: +421 (2) 322 44 109
Web: www.eset.com/int

SOURCE: ESET, spol. s r.o.