Threats Feed|Ballistic Bobcat|Last Updated 18/09/2023|AuthorCertfa Radar|Publish Date11/09/2023

Ballistic Bobcat Exploits Microsoft Exchange Vulnerabilities to Compromise 34 Organizations

  • Actor Motivations: Espionage
  • Attack Vectors: Vulnerability Exploitation,Backdoor
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

The Ballistic Bobcat (aka Charming Kitten) threat group exploited known vulnerabilities in Microsoft Exchange servers, particularly CVE-2021-26855, to gain initial access to 34 organizations, primarily located in Israel. The group employed a backdoor known as Sponsor and relied on a modular approach that used both configuration files and batch files to evade detection. Besides, the group utilized a range of open-source tools for various activities, including tunneling and credential dumping. The victims are from diverse sectors but are mainly opportunistic rather than specifically targeted. Two victims were identified outside Israel, in Brazil and the UAE, linked to healthcare and an unidentified organization.

Reference and Credit: ESET - September 2023

Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor

Detected Targets

TypeDescriptionConfidence
SectorCivil Engineering
Verified
SectorFinancial
Verified
SectorInformation Technology
Verified
SectorInsurance
Verified
SectorManufacturing
Verified
SectorMedical
Verified
SectorRetail
Verified
SectorHealthcare
Verified
SectorMedia
Verified
SectorTelecommunication
Verified
RegionBrazil
Verified
RegionIsrael
Verified
RegionUnited Arab Emirates
Verified

Extracted IOCs

  • 098b9a6ce722311553e1d8ac5849ba1dc5834c52
  • 1aae62acee3c04a6728f9edc3756fabd6e342252
  • 2f3eda9d788a35f4c467b63860e73c3b010529cc
  • 39ae8ba8c5280a09ba638df4c9d64ac0f3f706b6
  • 4709827c7a95012ab970bf651ed5183083366c79
  • 50cfb3cf1a0fe5ec2264ace53f96fadfe99cc617
  • 519ca93366f1b1d71052c6ce140f5c80ce885181
  • 5aee3c957056a8640041abc108d0b8a3d7a02ebd
  • 5d60c8507ac9b840a13ffdf19e3315a3e14de66a
  • 764eb6ca3752576c182fc19cff3e86c38dd51475
  • 99c7b5827df89b4fafc2b565abed97c58a3c65b8
  • a200be662cdc0ece2a2c8fc4dbbc8c574d31848a
  • c4bc1a5a02f8ac3cf642880dc1fc3b1e46e4da61
  • e443dc53284537513c00818392e569c79328f56f
  • e52aa118a59502790a4dd6625854bd93c0deaf27
  • 162[.]55.137.20
  • 198[.]144.189.74
  • 37[.]120.222.168
  • 5[.]255.97.172
download

Tip: 19 related IOCs (4 IP, 0 domain, 0 URL, 0 email, 15 file hash) to this threat have been found.

Overlaps

AgriusFantasy Wiper: Agrius APT's Latest Tool in Destructive Supply-Chain Cyberattacks

Source: ESET - December 2022

Detection (one case): 1aae62acee3c04a6728f9edc3756fabd6e342252

UnknownIranian Cyber Actors Target Western Nations in Ransom and Extortion Campaigns

Source: CISA - September 2022

Detection (one case): 198[.]144.189.74

PhosphorusStealth in the System: PHOSPHORUS Exploits Exchange Server in Infrastructure Sector Attack

Source: Deep Instinct - June 2022

Detection (one case): 198[.]144.189.74

UnknownIranian APT Group Exploits Microsoft and Fortinet Vulnerabilities: A Broad Spectrum Cyber Assault

Source: CISA - November 2021

Detection (one case): 162[.]55.137.20

PhosphorusIranian-backed PHOSPHORUS Exploits Microsoft Exchange Vulnerabilities for Data Encryption

Source: The DFIR Report - November 2021

Detection (one case): 198[.]144.189.74

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
Ballistic Bobcat
View Ballistic Bobcat's Insights