{"id":8457,"date":"2023-09-11T12:00:00","date_gmt":"2023-09-11T09:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/et\/2023\/09\/11\/sponsor-with-batch-filed-whiskers-ballistic-bobcats-scan-and-strike-backdoor\/"},"modified":"2023-09-11T12:00:00","modified_gmt":"2023-09-11T09:00:00","slug":"sponsor-with-batch-filed-whiskers-ballistic-bobcats-scan-and-strike-backdoor","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2023\/09\/11\/sponsor-with-batch-filed-whiskers-ballistic-bobcats-scan-and-strike-backdoor\/","title":{"rendered":"Sponsor with batch-filed whiskers: Ballistic Bobcat\u2019s scan and strike backdoor"},"content":{"rendered":"<p><span lang=\"EN-US\">ESET researchers discovered a Ballistic Bobcat campaign targeting various entities in Brazil, Israel, and the United Arab Emirates, using a novel backdoor we have named Sponsor. <\/span><\/p>\n<p><span lang=\"EN-US\">We discovered Sponsor after we analyzed an interesting sample we detected on a victim\u2019s system in Israel in May 2022 and scoped the victim-set by country. Upon examination, it became evident to us that the sample was a novel backdoor deployed by the Ballistic Bobcat APT group.<\/span><\/p>\n<p><span lang=\"EN-US\">Ballistic Bobcat, previously tracked by ESET Research as APT35\/APT42 (aka Charming Kitten, TA453, or PHOSPHORUS), is a suspected <a href=\"https:\/\/research.checkpoint.com\/2022\/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit\/\">Iran-aligned advanced persistent threat group<\/a> that targets education, government, and healthcare organizations, as well as human rights activists and journalists. It is most active in Israel, the Middle East, and the United States. Notably, during the pandemic, it was targeting COVID-19-related organizations, including the World Health Organization and Gilead Pharmaceuticals, and medical research personnel.<\/span><\/p>\n<p><span lang=\"EN-US\">Overlaps between Ballistic Bobcat campaigns<span><br \/>\n<\/span>and Sponsor backdoor versions show a fairly clear pattern of tool development and deployment, with narrowly targeted campaigns, each of limited duration. We subsequently discovered four other versions of the Sponsor backdoor. In total, we saw Sponsor deployed to at least 34 victims in Brazil, Israel, and the United Arab Emirates, as outlined in <\/span><span lang=\"EN-US\">Figure <span>1<\/span><\/span><span lang=\"EN-US\">.<\/span><\/p>\n<figure><img decoding=\"async\" alt=\"Figure 1. Timeline of the Sponsoring Access campaign\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/map-apt42-1.png\" title=\"Figure 1. Timeline of the Sponsoring Access campaign\" width=\"\"><figcaption><em>Figure 1. Timeline of the Sponsoring Access campaign<\/em><\/figcaption><\/figure>\n<blockquote>\n<p><strong><span lang=\"EN-US\">Key points of this blogpost:<\/span><\/strong><\/p>\n<ul>\n<li><em><span lang=\"EN-US\">We discovered a new backdoor deployed by Ballistic Bobcat that we subsequently named Sponsor.<\/span><\/em><\/li>\n<li><em><span lang=\"EN-US\">Ballistic Bobcat deployed the new backdoor in September 2021, while it was wrapping up the campaign documented in CISA Alert AA21-321A and the PowerLess campaign.<\/span><\/em><\/li>\n<li><em><span lang=\"EN-US\">The Sponsor backdoor uses configuration files stored on disk. These files are discreetly deployed by batch files and deliberately designed to appear innocuous, thereby attempting to evade detection by scanning engines.<\/span><\/em><\/li>\n<li><em><span lang=\"EN-US\">Sponsor was deployed to at least 34 victims in Brazil, Israel, and the United Arab Emirates; we have named this activity the Sponsoring Access campaign.<\/span><\/em><\/li>\n<\/ul>\n<\/blockquote>\n<h2><span lang=\"EN-US\">Initial access<\/span><\/h2>\n<p><span lang=\"EN-US\">Ballistic Bobcat obtained initial access by exploiting known vulnerabilities in internet-exposed Microsoft Exchange servers by first conducting meticulous scans of the system or network to identify potential weaknesses or vulnerabilities, and subsequently targeting and exploiting those identified weaknesses. The group has been known to engage in this behavior for some time. However, many of the 34 victims identified in ESET telemetry might best be described as victims of opportunity rather than preselected and researched victims, as we suspect Ballistic Bobcat engaged in the above-described scan-and-exploit behavior because it was not the only threat actor with access to these systems. We have named this Ballistic Bobcat activity utilizing the Sponsor backdoor the Sponsoring Access campaign.<\/span><\/p>\n<p><span lang=\"EN-US\">The Sponsor backdoor uses configuration files on disk, dropped by batch files, and both are innocuous so as to bypass scanning engines. This modular approach is one that Ballistic Bobcat has used quite often and with modest success in the past two and a half years. On compromised systems, Ballistic Bobcat also continues to use a variety of open-source tools, which we describe \u2013 together with the Sponsor backdoor \u2013 in this blogpost.<\/span><\/p>\n<h2><a><\/a><span lang=\"EN-US\">Victimology<\/span><\/h2>\n<figure><img decoding=\"async\" alt=\"Figure 2. Geographical distribution of entities targeted by Ballistic Bobcat with the Sponsor backdoor\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/map-apt42.png\" title=\"Figure 2. Geographical distribution of entities targeted by Ballistic Bobcat with the Sponsor backdoor\" width=\"\"><figcaption><em>Figure 2. Geographical distribution of entities targeted by Ballistic Bobcat with the Sponsor backdoor<\/em><\/figcaption><\/figure>\n<p><span lang=\"EN-US\">A significant majority of the 34 victims were located in Israel, with only two located in other countries:<\/span><\/p>\n<ul>\n<li><span lang=\"EN-US\">Brazil, at a medical cooperative and health insurance operator, and<\/span><\/li>\n<li><span lang=\"EN-US\">the United Arab Emirates, at an unidentified organization.<\/span><\/li>\n<\/ul>\n<p><span lang=\"EN-US\">Table <span>1<\/span><\/span><span lang=\"EN-US\"> describes the verticals, and organizational details, for victims in Israel.<\/span><\/p>\n<p><em><a><\/a><span lang=\"EN-US\">Table <\/span><span lang=\"EN-US\">1<\/span><\/em><span lang=\"EN-US\"><em>. Verticals and organizational details for victims in Israel<\/em><\/span><\/p>\n<p><span lang=\"EN-US\"><\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\">\n<tbody>\n<tr>\n<td width=\"150\">\n<p><strong><span lang=\"EN-US\">Vertical<\/span><\/strong><\/p>\n<\/td>\n<td width=\"471\">\n<p><strong><span lang=\"EN-US\">Details<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">\n<p><strong><span lang=\"EN-US\">Automotive<\/span><\/strong><\/p>\n<\/td>\n<td width=\"471\">\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">An automotive company specializing in custom modifications.<\/span><\/p>\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">An automotive repair and maintenance company.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">\n<p><strong><span lang=\"EN-US\">Communications<\/span><\/strong><\/p>\n<\/td>\n<td width=\"471\">\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">An Israeli media outlet.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">\n<p><strong><span lang=\"EN-US\">Engineering<\/span><\/strong><\/p>\n<\/td>\n<td width=\"471\">\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">A civil engineering firm.<\/span><\/p>\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">An environmental engineering firm.<\/span><\/p>\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">An architectural design firm.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">\n<p><strong><span lang=\"EN-US\">Financial services<\/span><\/strong><\/p>\n<\/td>\n<td width=\"471\">\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">A financial services company that specializes in investment counseling.<\/span><\/p>\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">A company that manages royalties.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">\n<p><strong><span lang=\"EN-US\">Healthcare<\/span><\/strong><\/p>\n<\/td>\n<td width=\"471\">\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">A medical care provider.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">\n<p><strong><span lang=\"EN-US\">Insurance<\/span><\/strong><\/p>\n<\/td>\n<td width=\"471\">\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">An insurance company that operates an insurance marketplace.<\/span><\/p>\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">A commercial insurance company.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">\n<p><strong><span lang=\"EN-US\">Law<\/span><\/strong><\/p>\n<\/td>\n<td width=\"471\">\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">A firm specializing in medical law.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">\n<p><strong><span lang=\"EN-US\">Manufacturing<\/span><\/strong><\/p>\n<\/td>\n<td width=\"471\">\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">Multiple electronics manufacturing companies.<\/span><\/p>\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">A company that manufactures metal-based commercial products.<\/span><\/p>\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">A multinational technology manufacturing company.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">\n<p><strong><span lang=\"EN-US\">Retail<\/span><\/strong><\/p>\n<\/td>\n<td width=\"471\">\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">A food retailer.<\/span><\/p>\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">A multinational diamond retailer.<\/span><\/p>\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">A skin care products retailer.<\/span><\/p>\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">A window treatment retailer and installer.<\/span><\/p>\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">A global electronic parts supplier.<\/span><\/p>\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">A physical access control supplier.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">\n<p><strong><span lang=\"EN-US\">Technology<\/span><\/strong><\/p>\n<\/td>\n<td width=\"471\">\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">An IT services technology company.<\/span><\/p>\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">An IT solutions provider.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">\n<p><strong><span lang=\"EN-US\">Telecommunications<\/span><\/strong><\/p>\n<\/td>\n<td width=\"471\">\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">A telecommunications company.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">\n<p><strong><span lang=\"EN-US\">Unidentified<\/span><\/strong><\/p>\n<\/td>\n<td width=\"471\">\n<p><span lang=\"EN-US\">\u00b7<span><br \/>\n<\/span><\/span><span lang=\"EN-US\">Multiple unidentified organizations.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/span><\/p>\n<h2>Attribution<\/h2>\n<p><span lang=\"EN-US\">In August 2021, the Israeli victim above that operates an insurance marketplace was attacked by Ballistic Bobcat with the tools <a href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/aa21-321a\">CISA reported in November 2021<\/a>. The indicators of compromise we observed are:<\/span><\/p>\n<ul>\n<li><span><span lang=\"EN-US\">MicrosoftOutlookUpdateSchedule<\/span><\/span><span lang=\"EN-US\">,<\/span><\/li>\n<li><span><span lang=\"EN-US\">MicrosoftOutlookUpdateSchedule.xml<\/span><\/span><span lang=\"EN-US\">,<\/span><\/li>\n<li><span><span lang=\"EN-US\">GoogleChangeManagement<\/span><\/span><span lang=\"EN-US\">, and<\/span><\/li>\n<li><span><span lang=\"EN-US\">GoogleChangeManagement.xml<\/span><\/span><span lang=\"EN-US\">.<\/span><\/li>\n<\/ul>\n<p><span lang=\"EN-US\">Ballistic Bobcat tools communicated with the same command and control (C&amp;C) server as in the CISA report: <\/span><span><span lang=\"EN-US\">162.55.137[.]20<\/span><\/span><span lang=\"EN-US\">.<\/span><\/p>\n<p><span lang=\"EN-US\">Then, in September 2021, the same victim received the next generation of Ballistic Bobcat tools: the <a href=\"https:\/\/www.cybereason.com\/blog\/research\/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage\">PowerLess backdoor<\/a> and its supporting toolset. The indicators of compromise we observed were:<\/span><\/p>\n<ul>\n<li><span><span lang=\"EN-US\">http:\/\/162.55.137[.]20\/gsdhdDdfgA5sS\/ff\/dll.dll<\/span><\/span><span lang=\"EN-US\">,<\/span><\/li>\n<li><span><span lang=\"EN-US\">windowsprocesses.exe<\/span><\/span><span lang=\"EN-US\">, and<\/span><\/li>\n<li><span><span lang=\"EN-US\">http:\/\/162.55.137[.]20\/gsdhdDdfgA5sS\/ff\/windowsprocesses.exe<\/span><\/span><span lang=\"EN-US\">.<\/span><\/li>\n<\/ul>\n<p><span lang=\"EN-US\">On November 18<sup>th<\/sup>, 2021, the group then deployed another tool (<a href=\"https:\/\/documentation.help\/PuTTY\/plink-usage.html\">Plink<\/a>) that was covered in the CISA report, as <\/span><span><span lang=\"EN-US\">MicrosoftOutLookUpdater.exe<\/span><\/span><span lang=\"EN-US\">. Ten days later, on November 28<sup>th<\/sup>, 2021, Ballistic Bobcat deployed the <a href=\"https:\/\/github.com\/Ne0nd0g\/merlin-agent\">Merlin agent<\/a> (the agent portion of an <a href=\"https:\/\/github.com\/Ne0nd0g\/merlin\">open-source post-exploitation C&amp;C server and agent written in Go<\/a>). On disk, this Merlin agent was named <\/span><span><span lang=\"EN-US\">googleUpdate.exe<\/span><\/span><span lang=\"EN-US\">, using the same naming convention as described in the CISA report to hide in plain sight.<\/span><\/p>\n<p><span lang=\"EN-US\">The Merlin agent executed a Meterpreter reverse shell that called back to a new C&amp;C server, <\/span><span><span lang=\"EN-US\">37.120.222[.]168:80<\/span><\/span><span lang=\"EN-US\">. On December 12<sup>th<\/sup>, 2021, the reverse shell dropped a batch file, <\/span><span><span lang=\"EN-US\">install.bat<\/span><\/span><span lang=\"EN-US\">, and within minutes of executing the batch file, Ballistic Bobcat operators pushed their newest backdoor, Sponsor. This would turn out to be the third version of the backdoor.<\/span><\/p>\n<h2><a><\/a><span lang=\"EN-US\">Technical analysis<\/span><\/h2>\n<h3><a><\/a><span lang=\"EN-US\">Initial access<\/span><\/h3>\n<p><span lang=\"EN-US\">We were able to identify a likely means of initial access for 23 of the 34 victims that we observed in ESET telemetry. Similar to what was reported in the <a href=\"https:\/\/www.cybereason.com\/blog\/research\/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage\">PowerLess<\/a> and <a href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/aa21-321a\">CISA<\/a> reports, Ballistic Bobcat probably exploited a known vulnerability, <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-26855\">CVE-2021-26855<\/a>, in Microsoft Exchange servers to gain a foothold on these systems.<\/span><\/p>\n<p><span lang=\"EN-US\">For 16 of the 34 victims, it appears Ballistic Bobcat was not the only threat actor with access to their systems. This may indicate, along with the wide variety of victims and the apparent lack of obvious intelligence value of a few victims, that Ballistic Bobcat engaged in scan-and-exploit behavior, as opposed to a targeted campaign against preselected victims.<\/span><\/p>\n<h3><a><\/a><span lang=\"EN-US\">Toolset<\/span><\/h3>\n<h4><span lang=\"EN-US\">Open-source tools<\/span><\/h4>\n<p><span lang=\"EN-US\">Ballistic Bobcat employed a number of open-source tools during the Sponsoring Access campaign. Those tools and their functions are listed in <\/span><span lang=\"EN-US\">Table <span>2<\/span><\/span><span lang=\"EN-US\">.<\/span><\/p>\n<p><em><a><\/a><span lang=\"EN-US\">Table <\/span><span lang=\"EN-US\">2<\/span><\/em><span lang=\"EN-US\"><em>. Open-source tools used by Ballistic Bobcat<\/em><\/span><\/p>\n<p><span lang=\"EN-US\"><\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\">\n<tbody>\n<tr>\n<td width=\"170\">\n<p><strong><span lang=\"EN-US\">Filename<\/span><\/strong><\/p>\n<\/td>\n<td width=\"451\">\n<p><strong><span lang=\"EN-US\">Description<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">host2ip.exe<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"451\">\n<p><span lang=\"EN-US\">Maps a <a href=\"https:\/\/github.com\/IHosseini083\/Host2IP\"><span>hostname to an IP address<\/span><\/a> within the local network. <\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">CSRSS.EXE<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"451\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/github.com\/kost\/revsocks\">RevSocks<\/a>, a reverse tunnel application.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">mi.exe<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"451\">\n<p><span lang=\"EN-US\">Mimikatz, with an original filename of <\/span><span><span lang=\"EN-US\">midongle.exe<\/span><\/span><span lang=\"EN-US\"> and packed with the <a href=\"http:\/\/adn.bioinfo.uqam.ca\/armadillo\/index.html\">Armadillo PE packer<\/a>.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">gost.exe<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"451\">\n<p><span lang=\"EN-US\">GO Simple Tunnel (<a href=\"https:\/\/github.com\/ginuerzh\/gost\">GOST<\/a>), a tunneling application written in Go.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">chisel.exe<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"451\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/github.com\/jpillora\/chisel\">Chisel<\/a>, a TCP\/UDP tunnel over HTTP using SSH layers.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">csrss_protected.exe<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"451\">\n<p><span lang=\"EN-US\">RevSocks tunnel, protected with the trial version of the <a href=\"https:\/\/enigmaprotector.com\/\">Enigma Protector software protection<\/a>.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">plink.exe<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"451\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/documentation.help\/PuTTY\/plink-usage.html\">Plink<\/a> (PuTTY Link), a command line connection tool.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\">\n<p><span><span lang=\"EN-US\">WebBrowserPassView.exe<\/span><\/span><\/p>\n<p><code><br \/>\n<\/code><\/td>\n<td width=\"451\"><code><code><\/code><\/code><\/p>\n<p><span lang=\"EN-US\">A <a href=\"https:\/\/www.nirsoft.net\/utils\/web_browser_password.html\">password recovery tool<\/a> for passwords stored in web browsers.<\/span><\/p>\n<p><code><br \/>\n<\/code><\/td>\n<\/tr>\n<tr>\n<td width=\"170\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">sqlextractor.exe<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"451\">\n<p><span lang=\"EN-US\">A <a href=\"https:\/\/github.com\/chop-dbhi\/sql-extractor\">tool<\/a> for interacting with, and extracting data from, SQL databases.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">procdump64.exe<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"451\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/procdump\">ProcDump<\/a>, a <span><br \/>\n<\/span>Sysinternals command line utility for monitoring applications and generating crash dumps.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/span><\/p>\n<h4><span lang=\"EN-US\">Batch files<\/span><\/h4>\n<p><span lang=\"EN-US\">Ballistic Bobcat deployed batch files to victims\u2019 systems moments before deploying the Sponsor backdoor. File paths we are aware of are:<\/span><\/p>\n<ul>\n<li><span><span lang=\"EN-US\">C:inetpubwwwrootaspnet_clientInstall.bat<\/span><\/span><\/li>\n<li><span><span lang=\"EN-US\">%USERPROFILE%DesktopInstall.bat<\/span><\/span><\/li>\n<li><span><span lang=\"EN-US\">%WINDOWS%TasksInstall.bat<\/span><\/span><\/li>\n<\/ul>\n<p><span lang=\"EN-US\">Unfortunately, we were unable to obtain any of these batch files. However, we believe they write innocuous configuration files to disk, which the Sponsor backdoor requires to function fully. These configuration filenames were taken from the Sponsor backdoors but were never collected:<\/span><\/p>\n<ul>\n<li><span><span lang=\"EN-US\">config.txt<\/span><\/span><\/li>\n<li><span><span lang=\"EN-US\">node.txt<\/span><\/span><\/li>\n<li><span><span lang=\"EN-US\">error.txt<\/span><\/span><\/li>\n<li><span><span lang=\"EN-US\">Uninstall.bat<\/span><\/span><\/li>\n<\/ul>\n<p><span lang=\"EN-US\">We believe that the batch files and configuration files are part of the modular development process that Ballistic Bobcat has favored over the past few years.<\/span><\/p>\n<h4><span lang=\"EN-US\">Sponsor backdoor<\/span><\/h4>\n<p><span lang=\"EN-US\">Sponsor backdoors are written in C++ with compilation timestamps and Program Database (PDB) paths as shown in <\/span><span lang=\"EN-US\">Table <span>3<\/span><\/span><span lang=\"EN-US\">. A note on version numbers: the column <\/span><span><span lang=\"EN-US\">Version <\/span><\/span><span lang=\"EN-US\">represents the version that we track internally based on the linear progression of Sponsor backdoors where changes are made from one version to the next. The <\/span><span><span lang=\"EN-US\">Internal version<\/span><\/span><span lang=\"EN-US\"> column contains the version numbers observed in each Sponsor backdoor and are included for ease of comparison when examining these and other potential Sponsor samples.<\/span><\/p>\n<p><em>Table 3. Sponsor compilation timestamps and PDBs<\/em><\/p>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"624\">\n<tbody>\n<tr>\n<td width=\"60\">\n<p><strong><span lang=\"EN-US\">Version<\/span><\/strong><\/p>\n<\/td>\n<td width=\"63\">\n<p><strong><span lang=\"EN-US\">Internal version<\/span><\/strong><\/p>\n<\/td>\n<td width=\"151\">\n<p><strong><span lang=\"EN-US\">Compilation timestamp<\/span><\/strong><\/p>\n<\/td>\n<td width=\"350\">\n<p><strong><span lang=\"EN-US\">PDB<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"60\">\n<p><span lang=\"EN-US\">1<\/span><\/p>\n<\/td>\n<td width=\"63\">\n<p><span lang=\"EN-US\">1.0.0<\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">2021-08-29 09:12:51<\/span><\/p>\n<\/td>\n<td width=\"350\">\n<p><span><span lang=\"EN-US\">D:TempBD_Plus_SrvcReleaseBD_Plus_Srvc.pdb<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"60\">\n<p><span lang=\"EN-US\">2<\/span><\/p>\n<\/td>\n<td width=\"63\">\n<p><span lang=\"EN-US\">1.0.0<\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">2021-10-09 12:39:15<\/span><\/p>\n<\/td>\n<td width=\"350\">\n<p><span><span lang=\"EN-US\">D:TempSponsorReleaseSponsor.pdb<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"60\">\n<p><span lang=\"EN-US\">3<\/span><\/p>\n<\/td>\n<td width=\"63\">\n<p><span lang=\"EN-US\">1.4.0<\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">2021-11-24 11:51:55<\/span><\/p>\n<\/td>\n<td width=\"350\">\n<p><span><span lang=\"EN-US\">D:TempSponsorReleaseSponsor.pdb<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"60\">\n<p><span lang=\"EN-US\">4<\/span><\/p>\n<\/td>\n<td width=\"63\">\n<p><span lang=\"EN-US\">2.1.1<\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">2022-02-19 13:12:07<\/span><\/p>\n<\/td>\n<td width=\"350\">\n<p><span><span lang=\"EN-US\">D:TempSponsorReleaseSponsor.pdb<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"60\">\n<p><span lang=\"EN-US\">5<\/span><\/p>\n<\/td>\n<td width=\"63\">\n<p><span lang=\"EN-US\">1.2.3.0<\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">2022-06-19 14:14:13<\/span><\/p>\n<\/td>\n<td width=\"350\">\n<p><span><span lang=\"EN-US\">D:TempAluminaReleaseAlumina.pdb<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span lang=\"EN-US\">The initial execution of Sponsor requires the runtime argument <\/span><span><span lang=\"EN-US\">install<\/span><\/span><span lang=\"EN-US\">, without which Sponsor gracefully exits, likely a simple anti-emulation\/anti-sandbox technique. If passed that argument, Sponsor creates a service called <\/span><span><span lang=\"EN-US\">SystemNetwork<\/span><\/span><span lang=\"EN-US\"> (in <\/span><span><span lang=\"EN-US\">v1<\/span><\/span><span lang=\"EN-US\">) and <\/span><span><span lang=\"EN-US\">Update<\/span><\/span><span lang=\"EN-US\"> (in all the other versions). It sets the service\u2019s <\/span><span><span lang=\"EN-US\">Startup Type<\/span><\/span><span lang=\"EN-US\"> to <\/span><span><span lang=\"EN-US\">Automatic<\/span><\/span><span lang=\"EN-US\">, and sets it to run its own Sponsor process, and grants it full access. It then starts the service.<\/span><\/p>\n<p><span lang=\"EN-US\">Sponsor, now running as a service, attempts to open the aforementioned configuration files previously placed on disk. It looks for <\/span><span><span lang=\"EN-US\">config.txt<\/span><\/span><span lang=\"EN-US\"> and <\/span><span><span lang=\"EN-US\">node.txt<\/span><\/span><span lang=\"EN-US\">, both in the current working directory. If the first is missing, Sponsor sets the service to <\/span><span lang=\"EN-US\"><span>Stopped<\/span><\/span><span lang=\"EN-US\"> and gracefully exits.<\/span><\/p>\n<h5><span lang=\"EN-US\">Backdoor configuration<\/span><\/h5>\n<p><span lang=\"EN-US\">Sponsor\u2019s configuration, stored in <\/span><span><span lang=\"EN-US\">config.txt<\/span><\/span><span lang=\"EN-US\">, contains two fields:<\/span><\/p>\n<ul>\n<li><span lang=\"EN-US\">An update interval, in seconds, to periodically contact the C&amp;C server for commands.<\/span><\/li>\n<li><span lang=\"EN-US\">A list of C&amp;C servers, referred to as <\/span><span><span lang=\"EN-US\">relays<\/span><\/span><span lang=\"EN-US\"> in Sponsor\u2019s binaries.<\/span><\/li>\n<\/ul>\n<p><span lang=\"EN-US\">The C&amp;C servers are stored encrypted (RC4), and the decryption key is present in the first line of <\/span><span><span lang=\"EN-US\">config.txt<\/span><\/span><span lang=\"EN-US\">. Each of the fields, including the decryption key, have the format shown in <\/span><span lang=\"EN-US\">Figure <span>3<\/span><\/span><span lang=\"EN-US\">.<\/span><\/p>\n<figure><img decoding=\"async\" alt=\"Figure 3. Format of configuration fields in config.txt\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/map-apt42-1-2.png\" title=\"Figure 3. Format of configuration fields in config.txt\" width=\"\"><figcaption><em>Figure 3. Format of configuration fields in<\/em><br \/>\n<span>config.txt<\/span><\/figcaption><\/figure>\n<p><span lang=\"EN-US\">These subfields are:<\/span><\/p>\n<ul>\n<li><span><span lang=\"EN-US\">config_start<\/span><\/span><span lang=\"EN-US\">: indicates the length of <\/span><span><span lang=\"EN-US\">config_name<\/span><\/span><span lang=\"EN-US\">, if present, or zero, if not. Used by the backdoor to know where <\/span><span><span lang=\"EN-US\">config_data<\/span><\/span><span lang=\"EN-US\"> starts.<\/span><\/li>\n<li><span><span lang=\"EN-US\">config_len<\/span><\/span><span lang=\"EN-US\">: length of <\/span><span><span lang=\"EN-US\">config_data<\/span><\/span><span lang=\"EN-US\">.<\/span><\/li>\n<li><span><span lang=\"EN-US\">config_name<\/span><\/span><span lang=\"EN-US\">: optional, contains a name given to the configuration field.<\/span><\/li>\n<li><span><span lang=\"EN-US\">config_data<\/span><\/span><span lang=\"EN-US\">: the configuration itself, encrypted (in the case of C&amp;C servers) or not (all the other fields).<\/span><\/li>\n<\/ul>\n<p><span lang=\"EN-US\">Figure <span>4<\/span><\/span><span lang=\"EN-US\"> shows an example with color-coded contents of a possible <\/span><span><span lang=\"EN-US\">config.txt<\/span><\/span><span lang=\"EN-US\"> file. Note that this is not an actual file we observed, but a fabricated example.<\/span><\/p>\n<figure><img decoding=\"async\" alt=\"Figure 4. Example of possible contents of config.txt\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/map-apt42-1-2-3.png\" title=\"Figure 4. Example of possible contents of config.txt\" width=\"\"><figcaption><em>Figure 4. Example of possible contents of <\/em><span>config.txt<\/span><\/figcaption><\/figure>\n<p><span lang=\"EN-US\">The last two fields in <\/span><span><span lang=\"EN-US\">config.txt<\/span><\/span><span lang=\"EN-US\"> are encrypted with RC4, using the string representation of the SHA-256 hash of the specified decryption key, as the key to encrypt the data. We see that the encrypted bytes are stored hex-encoded as ASCII text.<\/span><\/p>\n<h5><span lang=\"EN-US\">Host information gathering<\/span><\/h5>\n<p><span lang=\"EN-US\">Sponsor gathers information about the host on which it is running, reports all of the gathered information to the C&amp;C server, and receives a node ID, which is written to <\/span><span><span lang=\"EN-US\">node.txt<\/span><\/span><span lang=\"EN-US\">. <\/span><span lang=\"EN-US\">Table <span>4<\/span><\/span><span lang=\"EN-US\"><\/span><span lang=\"EN-US\"><span><br \/>\n<\/span>lists keys and values in the Windows registry that Sponsor uses to get the information, and provides an example of the data collected.<\/span><\/p>\n<p><span lang=\"EN-US\"><em><span lang=\"EN-US\">Table 4. Information gathered by Sponsor<\/span><\/em><\/span><\/p>\n<p><span lang=\"EN-US\"><\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\">\n<thead>\n<tr>\n<td width=\"318\">\n<p><strong><span lang=\"EN-US\">Registry key<\/span><\/strong><\/p>\n<\/td>\n<td width=\"144\">\n<p><strong><span lang=\"EN-US\">Value<\/span><\/strong><\/p>\n<\/td>\n<td width=\"159\">\n<p><strong><span lang=\"EN-US\">Example<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"318\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"144\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">Hostname<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"159\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">D-835MK12<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<\/tr>\n<tr>\n<td width=\"318\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTimeZoneInformation<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"144\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">TimeZoneKeyName<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"159\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">Israel Standard Time<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<\/tr>\n<tr>\n<td width=\"318\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">HKEY_USERS.DEFAULTControl PanelInternational<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"144\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">LocaleName<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"159\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">he-IL<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<\/tr>\n<tr>\n<td width=\"318\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemBIOS<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"144\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">BaseBoardProduct<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"159\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">10NX0010IL<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<\/tr>\n<tr>\n<td width=\"318\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemCentralProcessor\u0000<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"144\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">ProcessorNameString<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"159\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"PL\">Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<\/tr>\n<tr>\n<td rowspan=\"4\" width=\"318\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"144\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">ProductName<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"159\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">Windows 10 Enterprise N<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">CurrentVersion<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"159\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">6.3<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">CurrentBuildNumber<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"159\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">19044<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">InstallationType<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"159\">\n<p><span><span lang=\"EN-US\">Client<\/span><\/span><\/p>\n<p><code><br \/>\n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/span><\/p>\n<p><span lang=\"EN-US\">Sponsor also collects the host\u2019s Windows domain by using the following <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/wmisdk\/wmic\">WMIC<\/a> command:<\/span><\/p>\n<p><span><span lang=\"EN-US\">wmic computersystem get domain<\/span><\/span><\/p>\n<p><span lang=\"EN-US\">Lastly, Sponsor uses Windows APIs to collect the current username (<\/span><span><span lang=\"EN-US\">GetUserNameW<\/span><\/span><span lang=\"EN-US\">), determine if the current Sponsor process is running as a 32- or 64-bit application (<\/span><span><span lang=\"EN-US\">GetCurrentProcess<\/span><\/span><span lang=\"EN-US\">, then <\/span><span><span lang=\"EN-US\">IsWow64Process(CurrentProcess)<\/span><\/span><span lang=\"EN-US\">), and determines whether the system is running on battery power or connected to an AC or DC power source (<\/span><span><span lang=\"EN-US\">GetSystemPowerStatus<\/span><\/span><span lang=\"EN-US\">).<\/span><\/p>\n<p><span lang=\"EN-US\">One oddity regarding the 32- or 64-bit application check is that all observed samples of Sponsor were 32-bit. This could mean that some of the next stage tools require this information.<\/span><\/p>\n<p><span lang=\"EN-US\">The collected information is sent in a base64-encoded message that, before encoding, starts with <\/span><span><br \/>\n<span lang=\"EN-US\">r<\/span><\/span><span lang=\"EN-US\"> and has the format shown in <\/span><span lang=\"EN-US\">Figure <span>5<\/span><\/span><span lang=\"EN-US\">.<\/span><\/p>\n<figure><img decoding=\"async\" alt=\"Figure 5. Format of the message sent by Sponsor to register the victimized computer\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/map-apt42-1-2-3-4.png\" title=\"Figure 5. Format of the message sent by Sponsor to register the victimized computer\" width=\"\"><figcaption><em>Figure 5. Format of the message sent by Sponsor to register the victimized computer<\/em><\/figcaption><\/figure>\n<p><span lang=\"EN-US\">The information is encrypted with RC4, and the encryption key is a random number generated on the spot. The key is hashed with the MD5 algorithm, not SHA-256 as previously mentioned. This is the case for all communications where Sponsor has to send encrypted data.<\/span><\/p>\n<p><span lang=\"EN-US\">The C&amp;C server replies with a number used to identify the victimized computer in later communications, which is written to <\/span><span><span lang=\"EN-US\">node.txt<\/span><\/span><span lang=\"EN-US\">. Note that the C&amp;C server is randomly chosen from the list when the <\/span><span><span lang=\"EN-US\">r<\/span><\/span><span lang=\"EN-US\"> message is sent, and the same server is used in all subsequent communications.<\/span><\/p>\n<h5><span lang=\"EN-US\">Command processing loop<\/span><\/h5>\n<p><span lang=\"EN-US\">Sponsor requests commands in a loop, sleeping according to the interval defined in <\/span><span><span lang=\"EN-US\">config.txt<\/span><\/span><span lang=\"EN-US\">. The steps are:<\/span><\/p>\n<ol>\n<li><span lang=\"EN-US\">Send a <\/span><span><span lang=\"EN-US\">chk=Test<\/span><\/span><span lang=\"EN-US\"> message repeatedly, until the C&amp;C server replies <\/span><span><span lang=\"EN-US\">Ok<\/span><\/span><span lang=\"EN-US\">.<\/span><\/li>\n<li><span lang=\"EN-US\">Send a <\/span><span><span lang=\"EN-US\">c<\/span><\/span><span lang=\"EN-US\"> (<\/span><span><span lang=\"EN-US\">IS_CMD_AVAIL<\/span><\/span><span lang=\"EN-US\">) message to the C&amp;C server, and receive an operator command.<\/span><\/li>\n<li><span lang=\"EN-US\">Process the command.<\/span>\n<ul>\n<li><span lang=\"EN-US\">If there is output to be sent to the C&amp;C server, send an <\/span><span><span lang=\"EN-US\">a<\/span><\/span><span lang=\"EN-US\"> (<\/span><span><span lang=\"EN-US\">ACK<\/span><\/span><span lang=\"EN-US\">) message, including the output (encrypted), or<\/span><\/li>\n<li><span lang=\"EN-US\">If execution failed, send an <\/span><span><span lang=\"EN-US\">f<\/span><\/span><span lang=\"EN-US\"><code> (<\/code><\/span><span><span lang=\"EN-US\">FAILED<\/span><\/span><span lang=\"EN-US\">) message. The error message is not sent.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span lang=\"EN-US\">Sleep.<\/span><\/li>\n<\/ol>\n<p><span lang=\"EN-US\">The <\/span><span><span lang=\"EN-US\">c<\/span><\/span><span lang=\"EN-US\"> message is sent to request a command to execute, and has the format (before base64 encoding) shown in <\/span><span lang=\"EN-US\">Figure <span>6<\/span><\/span><span lang=\"EN-US\">.<\/span><\/p>\n<figure><img decoding=\"async\" alt=\"Figure 6. Format of the message sent by Sponsor to ask for commands to execute\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/map-apt42-1-2-3-4-5.png\" title=\"Figure 6. Format of the message sent by Sponsor to ask for commands to execute\" width=\"\"><figcaption><em>Figure 6. Format of the message sent by Sponsor to ask for commands to execute<\/em><\/figcaption><\/figure>\n<p><span lang=\"EN-US\">The <\/span><span><span lang=\"EN-US\">encrypted_none<\/span><\/span><span lang=\"EN-US\"> field in the figure is the result of encrypting the hardcoded string <\/span><span><span lang=\"EN-US\">None<\/span><\/span><span lang=\"EN-US\"> with RC4. The key for encryption is the MD5 hash of <\/span><span><span lang=\"EN-US\">node_id<\/span><\/span><span lang=\"EN-US\">.<\/span><\/p>\n<p><span lang=\"EN-US\">The URL used to contact the C&amp;C server is built as: <span>http:\/\/&lt;IP_or_domain&gt;:80<\/span>. This may indicate that <span>37.120.222[.]168:80<\/span> is the only C&amp;C server used throughout the Sponsoring Access campaign, as it was the only IP address we observed victim machines reaching out to on port 80.<\/span><\/p>\n<h5><span lang=\"EN-US\">Operator commands<\/span><\/h5>\n<p><span lang=\"EN-US\">Operator commands are delineated in <\/span><span lang=\"EN-US\">Table <span>5<\/span><\/span><span lang=\"EN-US\"> and appear in the order in which they are found in the code. Communication with the C&amp;C server occurs over port 80.<\/span><\/p>\n<p><span lang=\"EN-US\"><em>Table 5. Operator commands and descriptions<\/em><\/span><\/p>\n<p><span lang=\"EN-US\"><\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"622\">\n<tbody>\n<tr>\n<td width=\"76\">\n<p><strong><span lang=\"EN-US\">Command<\/span><\/strong><\/p>\n<\/td>\n<td width=\"546\">\n<p><strong><span lang=\"EN-US\">Description<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">p<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">Sends the process ID for the running Sponsor process.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">e<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">Executes a command, as specified in a subsequent additional argument, on the Sponsor host using the following string:<\/span><\/p>\n<p><span><span lang=\"EN-US\">c:windowssystem32cmd.exe \/c<span><br \/>\n<\/span>&lt;cmd&gt;<span><br \/>\n<\/span>&gt; result.txt 2&gt;&amp;1<\/span><\/span><\/p>\n<p><span lang=\"EN-US\">Results are stored in <\/span><span><span lang=\"EN-US\">result.txt<\/span><\/span><span lang=\"EN-US\"> in the current working directory. Sends an <\/span><span><span lang=\"EN-US\">a<\/span><\/span><span lang=\"EN-US\"> message with the encrypted output to the C&amp;C server if successfully executed. If failed, sends an <\/span><span><span lang=\"EN-US\">f<\/span><\/span><span lang=\"EN-US\"> message (without specifying the error).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">d<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">Receives a file from the C&amp;C server and executes it. This command has many arguments: the target filename to write the file into, the MD5 hash of the file, a directory to write the file to (or the current working directory, by default), a Boolean to indicate whether to run the file or not, and the contents of the executable file, base64-encoded. If no errors occur, an <\/span><span><span lang=\"EN-US\">a<\/span><\/span><span lang=\"EN-US\"> message is sent to the C&amp;C server with <\/span><span><span lang=\"EN-US\">Upload and execute file successfully<\/span><\/span><span lang=\"EN-US\"> or <\/span><span><span lang=\"EN-US\">Upload file successfully without execute<\/span><\/span><span lang=\"EN-US\"> (encrypted). If errors occur during execution of the file, an <\/span><span><span lang=\"EN-US\">f<\/span><\/span><span lang=\"EN-US\"> message is sent. If the MD5 hash of the contents of the file does not match the provided hash, an <\/span><span><span lang=\"EN-US\">e<\/span><\/span><span lang=\"EN-US\"> (<\/span><span><span lang=\"EN-US\">CRC_ERROR<\/span><\/span><span lang=\"EN-US\">) message is sent to the C&amp;C server (including only the encryption key used, and no other information). The use of the term <\/span><span><span lang=\"EN-US\">Upload<\/span><\/span><span lang=\"EN-US\"> here is potentially confusing as the Ballistic Bobcat operators and coders take the point of view from the server side, whereas many might view this as a download based on the pulling of the file (i.e., downloading it) by the system using the Sponsor backdoor.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">u<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">Attempts to download a file using the <\/span><span><span lang=\"EN-US\">URLDownloadFileW<\/span><\/span><span lang=\"EN-US\"> Windows API and execute it. Success sends an <\/span><span><span lang=\"EN-US\">a<\/span><\/span><span lang=\"EN-US\"> message with the encryption key used, and no other information. Failure sends an <\/span><span><span lang=\"EN-US\">f<\/span><\/span><span lang=\"EN-US\"> message with a similar structure. <\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">s<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">Executes a file already on disk, <\/span><span><span lang=\"EN-US\">Uninstall.bat<\/span><\/span><span lang=\"EN-US\"> in the current working directory, that most likely contains commands to delete files related to the backdoor.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">n<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">This command can be explicitly supplied by an operator or can be inferred by Sponsor as the command to execute in the absence of any other command. Referred to within Sponsor as <\/span><span><span lang=\"EN-US\">NO_CMD<\/span><\/span><span lang=\"EN-US\">, it executes a randomized sleep before checking back in with the C&amp;C server.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">b<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">Updates the list of C&amp;Cs stored in <\/span><span><span lang=\"EN-US\">config.txt<\/span><\/span><span lang=\"EN-US\"> in the current working directory. The new C&amp;C addresses replace the previous ones; they are not added to the list. It sends an <\/span><span><span lang=\"EN-US\">a<\/span><\/span><span lang=\"EN-US\"> message with <\/span><br \/><span><span lang=\"EN-US\">New relays replaced successfully<\/span><\/span><span lang=\"EN-US\"> (encrypted) to the C&amp;C server if successfully updated.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">i<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">Updates the predetermined check-in interval specified in <\/span><span><span lang=\"EN-US\">config.txt<\/span><\/span><span lang=\"EN-US\">. It sends an <\/span><span><span lang=\"EN-US\">a<\/span><\/span><span lang=\"EN-US\"> message with <\/span><span><span lang=\"EN-US\">New interval replaced successfully<\/span><\/span><span lang=\"EN-US\"> to the C&amp;C server if successfully updated.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/span><\/p>\n<h5><span lang=\"EN-US\">Updates to Sponsor<\/span><\/h5>\n<p><span lang=\"EN-US\">Ballistic Bobcat coders made code revisions between Sponsor v1 and v2. The two most significant changes in the latter are:<\/span><\/p>\n<ul>\n<li><span lang=\"EN-US\">Optimization of code where several longer functions were minimized into functions and subfunctions, and<\/span><\/li>\n<li><span lang=\"EN-US\">Disguising Sponsor as an updater program by including the following message in the service configuration:<\/span><\/li>\n<\/ul>\n<p><span><span lang=\"EN-US\">App updates are great for both app users and apps \u2013 updates mean that developers are always working on improving the app, keeping in mind a better customer experience with each update.<\/span><\/span><\/p>\n<h2><a><\/a><span lang=\"EN-US\">Network infrastructure<\/span><\/h2>\n<p><span lang=\"EN-US\">In addition to piggybacking on the C&amp;C infrastructure used in the PowerLess campaign, Ballistic Bobcat also introduced a new C&amp;C server. The group also utilized multiple IPs to store and deliver support tools during the Sponsoring Access campaign. We have confirmed that none of these IPs are in operation at this time.<\/span><\/p>\n<h2><a><\/a><span lang=\"EN-US\">Conclusion<\/span><\/h2>\n<p><span lang=\"EN-US\">Ballistic Bobcat continues to operate on a scan-and-exploit model, looking for targets of opportunity with unpatched vulnerabilities in internet-exposed Microsoft Exchange servers. The group continues to use a diverse open-source toolset supplemented with several custom applications, including its Sponsor backdoor. Defenders would be well advised to patch any internet-exposed devices and remain vigilant for new applications popping up within their organizations.<\/span><\/p>\n<blockquote>\n<p>For any inquiries about our research published on WeLiveSecurity, please contact us at <a href=\"mailto:threatintel@eset.com?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=autotagging&amp;utm_content=eset-research&amp;utm_term=en\">threatintel@eset.com<\/a>.<br \/>ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the <a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor\/\">ESET Threat Intelligence<\/a> page.<\/p>\n<\/blockquote>\n<h2><a><\/a><span lang=\"EN-US\">IoCs<\/span><\/h2>\n<h3><span lang=\"EN-US\">Files<\/span><\/h3>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"622\">\n<tbody>\n<tr>\n<td width=\"179\">\n<p><strong><span lang=\"EN-US\">SHA-1<\/span><\/strong><\/p>\n<\/td>\n<td width=\"76\">\n<p><strong><span lang=\"EN-US\">Filename<\/span><\/strong><\/p>\n<\/td>\n<td width=\"161\">\n<p><strong><span lang=\"EN-US\">Detection<\/span><\/strong><\/p>\n<\/td>\n<td width=\"206\">\n<p><strong><span lang=\"EN-US\">Description<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">098B9A6CE722311553E1D8AC5849BA1DC5834C52<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">Win32\/Agent.UXG<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">Ballistic Bobcat backdoor, Sponsor (v1).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">5AEE3C957056A8640041ABC108D0B8A3D7A02EBD<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">Win32\/Agent.UXG<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">Ballistic Bobcat backdoor, Sponsor (v2).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">764EB6CA3752576C182FC19CFF3E86C38DD51475<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">Win32\/Agent.UXG<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">Ballistic Bobcat backdoor, Sponsor (v3).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">2F3EDA9D788A35F4C467B63860E73C3B010529CC<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">Win32\/Agent.UXG<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">Ballistic Bobcat backdoor, Sponsor (v4).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">E443DC53284537513C00818392E569C79328F56F<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">Win32\/Agent.UXG<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">Ballistic Bobcat backdoor, Sponsor (v5, aka Alumina).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">C4BC1A5A02F8AC3CF642880DC1FC3B1E46E4DA61<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">WinGo\/Agent.BT<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">RevSocks reverse tunnel.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">39AE8BA8C5280A09BA638DF4C9D64AC0F3F706B6<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">clean<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">ProcDump, a command line utility for monitoring applications and generating crash dumps.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">A200BE662CDC0ECE2A2C8FC4DBBC8C574D31848A<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">Generik.EYWYQYF<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">Mimikatz.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">5D60C8507AC9B840A13FFDF19E3315A3E14DE66A<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">WinGo\/Riskware.Gost.D<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">GO Simple Tunnel (GOST).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">50CFB3CF1A0FE5EC2264ACE53F96FADFE99CC617<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">WinGo\/HackTool.Chisel.A<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">Chisel reverse tunnel.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">1AAE62ACEE3C04A6728F9EDC3756FABD6E342252<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">Host2IP discovery tool.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">519CA93366F1B1D71052C6CE140F5C80CE885181<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">Win64\/Packed.Enigma.BV<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">RevSocks tunnel, protected with the trial version of the Enigma Protector software protection.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">4709827C7A95012AB970BF651ED5183083366C79<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">Plink (PuTTY Link), a command line connection tool.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">99C7B5827DF89B4FAFC2B565ABED97C58A3C65B8<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">Win32\/PSWTool.WebBrowserPassView.I<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">A password recovery tool for passwords stored in web browsers.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">E52AA118A59502790A4DD6625854BD93C0DEAF27<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">MSIL\/HackTool.SQLDump.A<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">A tool for interacting with, and extracting data from, SQL databases.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span lang=\"EN-US\"><br \/>\n<\/span><\/p>\n<h3><span><span lang=\"EN-US\">File paths<\/span><\/span><\/h3>\n<p><span lang=\"EN-US\">The following is a list of paths where the Sponsor backdoor was deployed on victimized machines.<\/span><\/p>\n<p><span><span lang=\"EN-US\">%SYSTEMDRIVE%inetpubwwwrootaspnet_client<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%USERPROFILE%AppDataLocalTempfile<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%USERPROFILE%AppDataLocalTemp2low<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%USERPROFILE%Desktop<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%USERPROFILE%Downloadsa<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%WINDIR%<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%WINDIR%INFMSExchange Delivery DSN<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%WINDIR%Tasks<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%WINDIR%Temp%WINDIR%Tempcrashpad1Files<\/span><\/span><\/p>\n<h2><a><\/a><span lang=\"EN-US\">Network<\/span><\/h2>\n<p><span><\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"643\">\n<tbody>\n<tr>\n<td width=\"151\">\n<p><strong><span lang=\"EN-US\">IP<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Provider<\/span><\/strong><\/p>\n<\/td>\n<td width=\"95\">\n<p><strong><span lang=\"EN-US\">First seen<\/span><\/strong><\/p>\n<\/td>\n<td width=\"94\">\n<p><strong><span lang=\"EN-US\">Last seen<\/span><\/strong><\/p>\n<\/td>\n<td width=\"189\">\n<p><strong><span lang=\"EN-US\">Details<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"151\">\n<p><span><span lang=\"EN-US\">162.55.137[.]20<\/span><\/span><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\">Hetzner Online GMBH<\/span><\/p>\n<\/td>\n<td width=\"95\">\n<p><span lang=\"EN-US\">2021-06-14<\/span><\/p>\n<\/td>\n<td width=\"94\">\n<p><span lang=\"EN-US\">2021-06-15<\/span><\/p>\n<\/td>\n<td width=\"189\">\n<p><span lang=\"EN-US\">PowerLess C&amp;C.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"151\">\n<p><span><span lang=\"EN-US\">37.120.222[.]168<\/span><\/span><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\">M247 LTD<\/span><\/p>\n<\/td>\n<td width=\"95\">\n<p><span lang=\"EN-US\">2021-11-28<\/span><\/p>\n<\/td>\n<td width=\"94\">\n<p><span lang=\"EN-US\">2021-12-12<\/span><\/p>\n<\/td>\n<td width=\"189\">\n<p><span lang=\"EN-US\">Sponsor C&amp;C.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"151\">\n<p><span><span lang=\"EN-US\">198.144.189[.]74<\/span><\/span><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\">Colocrossing<\/span><\/p>\n<\/td>\n<td width=\"95\">\n<p><span lang=\"EN-US\">2021-11-29<\/span><\/p>\n<\/td>\n<td width=\"94\">\n<p><span lang=\"EN-US\">2021-11-29<\/span><\/p>\n<\/td>\n<td width=\"189\">\n<p><span lang=\"EN-US\">Support tools download site.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"151\">\n<p><span><span lang=\"EN-US\">5.255.97[.]172<\/span><\/span><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\">The Infrastructure Group B.V.<\/span><\/p>\n<\/td>\n<td width=\"95\">\n<p><span lang=\"EN-US\">2021-09-05<\/span><\/p>\n<\/td>\n<td width=\"94\">\n<p><span lang=\"EN-US\">2021-10-28<\/span><\/p>\n<\/td>\n<td width=\"189\">\n<p><span lang=\"EN-US\">Support tools download site.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/span><span lang=\"EN-US\"><br \/>\n<\/span><a><\/a><\/p>\n<h2>MITRE ATT&amp;CK techniques<\/h2>\n<p><span lang=\"EN-US\">This table was built using <a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\">version 13<\/a> of the MITRE ATT&amp;CK framework<strong>.<\/strong><\/span><\/p>\n<div>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"643\">\n<thead>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Tactic<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">ID<\/span><\/strong><\/p>\n<\/td>\n<td width=\"151\">\n<p><strong><span lang=\"EN-US\">Name<\/span><\/strong><\/p>\n<\/td>\n<td width=\"265\">\n<p><strong><span lang=\"EN-US\">Description<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Reconnaissance<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1595\/\"><em>T1595<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Active Scanning: Vulnerability Scanning<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Ballistic Bobcat scans for vulnerable versions of Microsoft Exchange Servers to exploit.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\">\n<p><strong><span lang=\"EN-US\">Resource Development<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1587\/001\/\"><em><span>T1587.001<\/span><\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Develop Capabilities: Malware<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Ballistic Bobcat designed and coded the Sponsor backdoor.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1588\/002\/\"><em><span>T1588.002<\/span><\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Obtain Capabilities: Tool<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Ballistic Bobcat uses various open-source tools as part of the Sponsoring Access campaign.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Initial Access<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1190\/\"><em><span>T1190<\/span><\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Exploit Public-Facing Application<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Ballistic Bobcat targets internet-exposed <span><br \/>\n<\/span>Microsoft Exchange Servers.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\">\n<p><strong><span lang=\"EN-US\">Execution<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1059\/003\/\"><em><span>T1059.003<\/span><\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Command and Scripting Interpreter: Windows Command Shell<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">The Sponsor backdoor uses the Windows command shell to execute commands on the victim\u2019s system.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1569\/002\/\"><em><span>T1569.002<\/span><\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">System Services: Service Execution<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">The Sponsor backdoor sets itself as a service and initiates its primary functions after the service is executed.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Persistence<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1543\/003\/\"><em>T1543.003<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Create or Modify System Process: Windows Service<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Sponsor maintains persistence by creating a service with automatic startup that executes its primary functions in a loop.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Privilege Escalation<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1078\/003\/\"><em>T1078.003<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Valid Accounts: Local Accounts<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Ballistic Bobcat operators attempt to steal credentials of valid users after initially exploiting a system before deploying the Sponsor backdoor.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\" width=\"113\">\n<p><strong><span lang=\"EN-US\">Defense Evasion<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1140\/\"><em>T1140<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Deobfuscate\/Decode Files or Information<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Sponsor stores information on disk that is encrypted and obfuscated, and deobfuscates it at runtime.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1027\/\"><em>T1027<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Obfuscated Files or Information<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Configuration files that the Sponsor backdoor requires on disk are encrypted and obfuscated.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1078\/003\/\"><em>T1078.003<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Valid Accounts: Local Accounts<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Sponsor is executed with admin privileges, likely using credentials that operators found on disk; along with Ballistic Bobcat\u2019s innocuous naming conventions, this allows Sponsor to blend into the background.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Credential Access<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1555\/003\/\"><em>T1555.003<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Credentials from Password Stores: Credentials from Web Browsers<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Ballistic Bobcat operators use open-source tools to steal credentials from password stores inside web browsers.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Discovery<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1018\/\"><em>T1018<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Remote System Discovery<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Ballistic Bobcat uses the Host2IP tool, previously used by Agrius, to discover other systems within reachable networks and correlate their hostnames and IP addresses.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Command and Control<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1001\/\"><em>T1001<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Data Obfuscation<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">The Sponsor backdoor obfuscates data before sending it to the C&amp;C server.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p><a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor\/\"><img loading=\"lazy\" decoding=\"async\" alt=\"\" height=\"296\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2022\/12\/eset-threat-intelligence.png\" width=\"915\"><\/a><\/p>\n<p class=\"wls-source\"><a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor\/\" rel=\"nofollow noopener\" target=\"_blank\">Read the full analysis on WeLiveSecurity \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>ESET Research uncovers the Sponsoring Access campaign, which utilizes an undocumented Ballistic Bobcat backdoor we have named Sponsor<\/p>\n","protected":false},"author":5,"featured_media":8458,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2878],"tags":[],"class_list":["post-8457","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-eset-research"],"acf":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8457","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=8457"}],"version-history":[{"count":0,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8457\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/8458"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=8457"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=8457"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=8457"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}