Charming Kitten Introduces Sponsor Backdoor

Diving into details

• Charming Kitten exploited known vulnerabilities in publicly accessible Microsoft Exchange servers as its initial attack vector.
• After gaining entry to the targeted network, the Iranian APT group deployed several open-source tools, including Mimikatz, WebBrowserPassView, Plink, and ProcDump.

About Sponsor

• The Sponsor backdoor, active since at least September 2021, employs configuration files found on disk, which are delivered via batch files. Both components are designed to appear harmless to evade detection by scanning engines. 
• This modular approach has been a recurring tactic utilized by Ballistic Bobcat over the past two and a half years, albeit with only moderate success.

Charming Kitten in other attacks

• In July, Charming Kitten launched a campaign using a malware called NokNok to target macOS systems. The campaign utilized LNK files and social engineering techniques, such as posing as U.S. nuclear experts, to trick victims into downloading the malicious payload.
• The same month, Volexity researchers observed that the threat group evolved its POWERSTAR malware with enhanced operational security measures, making it more difficult to analyze and gather intelligence.
• The latest version of POWERSTAR utilizes the InterPlanetary File System (IPFS) and privately hosted infrastructure like Backblaze, indicating a shift in the group's tactics to reduce the risk of exposure and potential actions against their accounts.

The bottom line