espionage
IMAGE: CARSTEN RUTHEMANN VIA PEXELS

New backdoor tool spotted in use against targets in Brazil, Israel, UAE

Suspected Iranian nation-state hackers attacked organizations in Brazil, Israel and the United Arab Emirates using previously unidentified backdoor malware, researchers have discovered.

The hacker group labeled Ballistic Bobcat, also known as Charming Kitten, deployed the backdoor between March 2021 and June 2022 against at least 34 victims, mostly in Israel, according to cybersecurity company ESET. The researchers are calling the malware Sponsor.

The targets included a medical cooperative and health insurance operator in Brazil; an unidentified organization in the UAE; and media, engineering, automotive, and financial companies in Israel.

The hackers didn't carefully select their targets — ESET suggests that the compromised organizations are "opportunistic victims" that had an unpatched vulnerability in Microsoft Exchange that allowed for remote code execution.

In 2021, cybersecurity agencies from Australia, the U.K., and the U.S. warned of active exploitation of Microsoft Exchange vulnerabilities by Iranian state-sponsored actors.

Inside the backdoor

Sponsor is written in C++ programming language. It collects information about the computer on which it is running and reports all of the gathered information to the hackers.

A key characteristic is that Sponsor’s configuration files appear to be innocuous, allowing them to be secretly used by malicious scripts while avoiding detection.

Charming Kitten first deployed the new backdoor in September 2021, but ESET only discovered it in May 2022 after it analyzed a sample from a victim’s system in Israel.

Israel has recently faced multiple cybersecurity threats, including incidents linked to Iran. In March, Israel publicly blamed Tehran for a ransomware attack on the country’s leading technology university.

A recent report by Microsoft said that Iranian state-backed hackers are increasingly using influence operations to amplify the impact of conventional cyberattacks and promote Tehran's political agenda in Israel and the U.S.

While Israel and Iran have never been in a declared war against each other, the countries have repeatedly blamed each other for cyberattacks targeting civilian infrastructure, including a steel plant in Iran and water systems in Israel.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.