Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor

1 week ago 8

ESET researchers discovered a Ballistic Bobcat run targeting assorted entities successful Brazil, Israel, and the United Arab Emirates, utilizing a caller backdoor we person named Sponsor.

We discovered Sponsor aft we analyzed an absorbing illustration we detected connected a victim’s strategy successful Israel successful May 2022 and scoped the victim-set by country. Upon examination, it became evident to america that the illustration was a caller backdoor deployed by the Ballistic Bobcat APT group.

Ballistic Bobcat, antecedently tracked by ESET Research arsenic APT35/APT42 (aka Charming Kitten, TA453, oregon PHOSPHORUS), is simply a suspected Iran-aligned precocious persistent menace group that targets education, government, and healthcare organizations, arsenic good arsenic quality rights activists and journalists. It is astir progressive successful Israel, the Middle East, and the United States. Notably, during the pandemic, it was targeting COVID-19-related organizations, including the World Health Organization and Gilead Pharmaceuticals, and aesculapian probe personnel.

Overlaps betwixt Ballistic Bobcat campaigns and Sponsor backdoor versions amusement a reasonably wide signifier of instrumentality improvement and deployment, with narrowly targeted campaigns, each of constricted duration. We subsequently discovered 4 different versions of the Sponsor backdoor. In total, we saw Sponsor deployed to astatine slightest 34 victims successful Brazil, Israel, and the United Arab Emirates, arsenic outlined successful Figure 1.

Figure 1. Timeline of the Sponsoring Access campaign Figure 1. Timeline of the Sponsoring Access campaign

Key points of this blogpost:

  • We discovered a caller backdoor deployed by Ballistic Bobcat that we subsequently named Sponsor.
  • Ballistic Bobcat deployed the caller backdoor successful September 2021, portion it was wrapping up the run documented successful CISA Alert AA21-321A and the PowerLess campaign.
  • The Sponsor backdoor uses configuration files stored connected disk. These files are discreetly deployed by batch files and deliberately designed to look innocuous, thereby attempting to evade detection by scanning engines.
  • Sponsor was deployed to astatine slightest 34 victims successful Brazil, Israel, and the United Arab Emirates; we person named this enactment the Sponsoring Access campaign.

Initial access

Ballistic Bobcat obtained archetypal entree by exploiting known vulnerabilities successful internet-exposed Microsoft Exchange servers by archetypal conducting meticulous scans of the strategy oregon web to place imaginable weaknesses oregon vulnerabilities, and subsequently targeting and exploiting those identified weaknesses. The radical has been known to prosecute successful this behaviour for immoderate time. However, galore of the 34 victims identified successful ESET telemetry mightiness champion beryllium described arsenic victims of accidental alternatively than preselected and researched victims, arsenic we fishy Ballistic Bobcat engaged successful the above-described scan-and-exploit behaviour due to the fact that it was not the lone menace histrion with entree to these systems. We person named this Ballistic Bobcat enactment utilizing the Sponsor backdoor the Sponsoring Access campaign.

The Sponsor backdoor uses configuration files connected disk, dropped by batch files, and some are innocuous truthful arsenic to bypass scanning engines. This modular attack is 1 that Ballistic Bobcat has utilized rather often and with humble occurrence successful the past 2 and a fractional years. On compromised systems, Ballistic Bobcat besides continues to usage a assortment of open-source tools, which we picture – unneurotic with the Sponsor backdoor – successful this blogpost.


Figure 2. Geographical organisation  of entities targeted by Ballistic Bobcat with the Sponsor backdoor Figure 2. Geographical organisation of entities targeted by Ballistic Bobcat with the Sponsor backdoor

A important bulk of the 34 victims were located successful Israel, with lone 2 located successful different countries:

  • Brazil, astatine a aesculapian cooperative and wellness security operator, and
  • the United Arab Emirates, astatine an unidentified organization.

Table 1 describes the verticals, and organizational details, for victims successful Israel.

Table 1. Verticals and organizational details for victims successful Israel




·       An automotive institution specializing successful customized modifications.

·       An automotive repair and attraction company.


·       An Israeli media outlet.


·       A civilian engineering firm.

·       An biology engineering firm.

·       An architectural plan firm.

Financial services

·       A fiscal services institution that specializes successful concern counseling.

·       A institution that manages royalties.


·       A aesculapian attraction provider.


·       An security institution that operates an security marketplace.

·       A commercialized security company.


·       A steadfast specializing successful aesculapian law.


·       Multiple electronics manufacturing companies.

·       A institution that manufactures metal-based commercialized products.

·       A multinational exertion manufacturing company.


·       A nutrient retailer.

·       A multinational diamond retailer.

·       A tegument attraction products retailer.

·       A model attraction retailer and installer.

·       A planetary physics parts supplier.

·       A carnal entree power supplier.


·       An IT services exertion company.

·       An IT solutions provider.


·       A telecommunications company.


·       Multiple unidentified organizations.


In August 2021, the Israeli unfortunate supra that operates an security marketplace was attacked by Ballistic Bobcat with the tools CISA reported successful November 2021. The indicators of compromise we observed are:

  • MicrosoftOutlookUpdateSchedule,
  • MicrosoftOutlookUpdateSchedule.xml,
  • GoogleChangeManagement, and
  • GoogleChangeManagement.xml.

Ballistic Bobcat tools communicated with the aforesaid bid and power (C&C) server arsenic successful the CISA report: 162.55.137[.]20.

Then, successful September 2021, the aforesaid unfortunate received the adjacent procreation of Ballistic Bobcat tools: the PowerLess backdoor and its supporting toolset. The indicators of compromise we observed were:

  • http://162.55.137[.]20/gsdhdDdfgA5sS/ff/dll.dll,
  • windowsprocesses.exe, and
  • http://162.55.137[.]20/gsdhdDdfgA5sS/ff/windowsprocesses.exe.

On November 18th, 2021, the radical past deployed different instrumentality (Plink) that was covered successful the CISA report, arsenic MicrosoftOutLookUpdater.exe. Ten days later, connected November 28th, 2021, Ballistic Bobcat deployed the Merlin agent (the cause information of an open-source post-exploitation C&C server and cause written successful Go). On disk, this Merlin cause was named googleUpdate.exe, utilizing the aforesaid naming normal arsenic described successful the CISA study to fell successful plain sight.

The Merlin cause executed a Meterpreter reverse ammunition that called backmost to a caller C&C server, 37.120.222[.]168:80. On December 12th, 2021, the reverse ammunition dropped a batch file, install.bat, and wrong minutes of executing the batch file, Ballistic Bobcat operators pushed their newest backdoor, Sponsor. This would crook retired to beryllium the 3rd mentation of the backdoor.

Technical analysis

Initial access

We were capable to place a apt means of archetypal entree for 23 of the 34 victims that we observed successful ESET telemetry. Similar to what was reported successful the PowerLess and CISA reports, Ballistic Bobcat astir apt exploited a known vulnerability, CVE-2021-26855, successful Microsoft Exchange servers to summation a foothold connected these systems.

For 16 of the 34 victims, it appears Ballistic Bobcat was not the lone menace histrion with entree to their systems. This whitethorn indicate, on with the wide assortment of victims and the evident deficiency of evident quality worth of a fewer victims, that Ballistic Bobcat engaged successful scan-and-exploit behavior, arsenic opposed to a targeted run against preselected victims.


Open-source tools

Ballistic Bobcat employed a fig of open-source tools during the Sponsoring Access campaign. Those tools and their functions are listed successful Table 2.

Table 2. Open-source tools utilized by Ballistic Bobcat




Maps a hostname to an IP address wrong the section network.


RevSocks, a reverse passageway application.


Mimikatz, with an archetypal filename of midongle.exe and packed with the Armadillo PE packer.


GO Simple Tunnel (GOST), a tunneling exertion written successful Go.


Chisel, a TCP/UDP passageway implicit HTTP utilizing SSH layers.


RevSocks tunnel, protected with the proceedings mentation of the Enigma Protector bundle protection.


Plink (PuTTY Link), a bid enactment transportation tool.


A password betterment tool for passwords stored successful web browsers.


A tool for interacting with, and extracting information from, SQL databases.


ProcDump, a  Sysinternals bid enactment inferior for monitoring applications and generating clang dumps.

Batch files

Ballistic Bobcat deployed batch files to victims’ systems moments earlier deploying the Sponsor backdoor. File paths we are alert of are:

  • C:\inetpub\wwwroot\aspnet_client\Install.bat
  • %USERPROFILE%\Desktop\Install.bat
  • %WINDOWS%\Tasks\Install.bat

Unfortunately, we were incapable to get immoderate of these batch files. However, we judge they constitute innocuous configuration files to disk, which the Sponsor backdoor requires to relation fully. These configuration filenames were taken from the Sponsor backdoors but were ne'er collected:

  • config.txt
  • node.txt
  • error.txt
  • Uninstall.bat

We judge that the batch files and configuration files are portion of the modular improvement process that Ballistic Bobcat has favored implicit the past fewer years.

Sponsor backdoor

Sponsor backdoors are written successful C++ with compilation timestamps and Program Database (PDB) paths arsenic shown successful Table 3. A enactment connected mentation numbers: the file Version represents the mentation that we way internally based connected the linear progression of Sponsor backdoors wherever changes are made from 1 mentation to the next. The Internal version file contains the mentation numbers observed successful each Sponsor backdoor and are included for easiness of examination erstwhile examining these and different imaginable Sponsor samples.

Table 3. Sponsor compilation timestamps and PDBs


Internal version

Compilation timestamp




2021-08-29 09:12:51




2021-10-09 12:39:15




2021-11-24 11:51:55




2022-02-19 13:12:07



2022-06-19 14:14:13


The archetypal execution of Sponsor requires the runtime statement install, without which Sponsor gracefully exits, apt a elemental anti-emulation/anti-sandbox technique. If passed that argument, Sponsor creates a work called SystemNetwork (in v1) and Update (in each the different versions). It sets the service’s Startup Type to Automatic, and sets it to tally its ain Sponsor process, and grants it afloat access. It past starts the service.

Sponsor, present moving arsenic a service, attempts to unfastened the aforementioned configuration files antecedently placed connected disk. It looks for config.txt and node.txt, some successful the existent moving directory. If the archetypal is missing, Sponsor sets the work to Stopped and gracefully exits.

Backdoor configuration

Sponsor’s configuration, stored successful config.txt, contains 2 fields:

  • An update interval, successful seconds, to periodically interaction the C&C server for commands.
  • A database of C&C servers, referred to arsenic relays successful Sponsor’s binaries.

The C&C servers are stored encrypted (RC4), and the decryption cardinal is contiguous successful the archetypal enactment of config.txt. Each of the fields, including the decryption key, person the format shown successful Figure 3.

Figure 3. Format of configuration fields successful  config.txt Figure 3. Format of configuration fields in config.txt

These subfields are:

  • config_start: indicates the magnitude of config_name, if present, oregon zero, if not. Used by the backdoor to cognize wherever config_data starts.
  • config_len: magnitude of config_data.
  • config_name: optional, contains a sanction fixed to the configuration field.
  • config_data: the configuration itself, encrypted (in the lawsuit of C&C servers) oregon not (all the different fields).

Figure 4 shows an illustration with color-coded contents of a imaginable config.txt file. Note that this is not an existent record we observed, but a fabricated example.

Figure 4. Example of imaginable  contents of config.txt Figure 4. Example of imaginable contents of config.txt

The past 2 fields successful config.txt are encrypted with RC4, utilizing the drawstring practice of the SHA-256 hash of the specified decryption key, arsenic the cardinal to encrypt the data. We spot that the encrypted bytes are stored hex-encoded arsenic ASCII text.

Host accusation gathering

Sponsor gathers accusation astir the big connected which it is running, reports each of the gathered accusation to the C&C server, and receives a node ID, which is written to node.txt. Table 4 lists keys and values successful the Windows registry that Sponsor uses to get the information, and provides an illustration of the information collected.

Table 4. Information gathered by Sponsor

Registry key








Israel Standard Time

HKEY_USERS\.DEFAULT\Control Panel\International








Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion


Windows 10 Enterprise N







Sponsor besides collects the host’s Windows domain by utilizing the pursuing WMIC command:

wmic computersystem get domain

Lastly, Sponsor uses Windows APIs to cod the existent username (GetUserNameW), find if the existent Sponsor process is moving arsenic a 32- oregon 64-bit exertion (GetCurrentProcess, past IsWow64Process(CurrentProcess)), and determines whether the strategy is moving connected artillery powerfulness oregon connected to an AC oregon DC powerfulness root (GetSystemPowerStatus).

One oddity regarding the 32- oregon 64-bit exertion cheque is that each observed samples of Sponsor were 32-bit. This could mean that immoderate of the adjacent signifier tools necessitate this information.

The collected accusation is sent successful a base64-encoded connection that, earlier encoding, starts with r and has the format shown successful Figure 5.

Figure 5. Format of the connection   sent by Sponsor to registry  the victimized computer Figure 5. Format of the connection sent by Sponsor to registry the victimized computer

The accusation is encrypted with RC4, and the encryption cardinal is simply a random fig generated connected the spot. The cardinal is hashed with the MD5 algorithm, not SHA-256 arsenic antecedently mentioned. This is the lawsuit for each communications wherever Sponsor has to nonstop encrypted data.

The C&C server replies with a fig utilized to place the victimized machine successful aboriginal communications, which is written to node.txt. Note that the C&C server is randomly chosen from the database erstwhile the r connection is sent, and the aforesaid server is utilized successful each consequent communications.

Command processing loop

Sponsor requests commands successful a loop, sleeping according to the interval defined successful config.txt. The steps are:

  1. Send a chk=Test connection repeatedly, until the C&C server replies Ok.
  2. Send a c (IS_CMD_AVAIL) connection to the C&C server, and person an relation command.
  3. Process the command.
    • If determination is output to beryllium sent to the C&C server, nonstop an a (ACK) message, including the output (encrypted), or
    • If execution failed, nonstop an f (FAILED) message. The mistake connection is not sent.
  4. Sleep.

The c connection is sent to petition a bid to execute, and has the format (before base64 encoding) shown successful Figure 6.

Figure 6. Format of the connection   sent by Sponsor to inquire  for commands to execute Figure 6. Format of the connection sent by Sponsor to inquire for commands to execute

The encrypted_none tract successful the fig is the effect of encrypting the hardcoded drawstring None with RC4. The cardinal for encryption is the MD5 hash of node_id.

The URL utilized to interaction the C&C server is built as: http://<IP_or_domain>:80. This whitethorn bespeak that 37.120.222[.]168:80 is the lone C&C server utilized passim the Sponsoring Access campaign, arsenic it was the lone IP code we observed unfortunate machines reaching retired to connected larboard 80.

Operator commands

Operator commands are delineated successful Table 5 and look successful the bid successful which they are recovered successful the code. Communication with the C&C server occurs implicit larboard 80.

Table 5. Operator commands and descriptions




Sends the process ID for the moving Sponsor process.


Executes a command, arsenic specified successful a consequent further argument, connected the Sponsor big utilizing the pursuing string:

c:\windows\system32\cmd.exe /c  <cmd>  > \result.txt 2>&1

Results are stored successful result.txt successful the existent moving directory. Sends an a connection with the encrypted output to the C&C server if successfully executed. If failed, sends an f connection (without specifying the error).


Receives a record from the C&C server and executes it. This bid has galore arguments: the people filename to constitute the record into, the MD5 hash of the file, a directory to constitute the record to (or the existent moving directory, by default), a Boolean to bespeak whether to tally the record oregon not, and the contents of the executable file, base64-encoded. If nary errors occur, an a connection is sent to the C&C server with Upload and execute record successfully oregon Upload record successfully without execute (encrypted). If errors hap during execution of the file, an f connection is sent. If the MD5 hash of the contents of the record does not lucifer the provided hash, an e (CRC_ERROR) connection is sent to the C&C server (including lone the encryption cardinal used, and nary different information). The usage of the word Upload present is perchance confusing arsenic the Ballistic Bobcat operators and coders instrumentality the constituent of presumption from the server side, whereas galore mightiness presumption this arsenic a download based connected the pulling of the record (i.e., downloading it) by the strategy utilizing the Sponsor backdoor.


Attempts to download a record utilizing the URLDownloadFileW Windows API and execute it. Success sends an a connection with the encryption cardinal used, and nary different information. Failure sends an f connection with a akin structure.


Executes a record already connected disk, Uninstall.bat successful the existent moving directory, that astir apt contains commands to delete files related to the backdoor.


This bid tin beryllium explicitly supplied by an relation oregon tin beryllium inferred by Sponsor arsenic the bid to execute successful the lack of immoderate different command. Referred to wrong Sponsor arsenic NO_CMD, it executes a randomized slumber earlier checking backmost successful with the C&C server.


Updates the database of C&Cs stored successful config.txt successful the existent moving directory. The caller C&C addresses regenerate the erstwhile ones; they are not added to the list. It sends an a connection with
New relays replaced successfully (encrypted) to the C&C server if successfully updated.


Updates the predetermined check-in interval specified successful config.txt. It sends an a connection with New interval replaced successfully to the C&C server if successfully updated.

Updates to Sponsor

Ballistic Bobcat coders made codification revisions betwixt Sponsor v1 and v2. The 2 astir important changes successful the second are:

  • Optimization of codification wherever respective longer functions were minimized into functions and subfunctions, and
  • Disguising Sponsor arsenic an updater programme by including the pursuing connection successful the work configuration:

App updates are large for some app users and apps – updates mean that developers are ever moving connected improving the app, keeping successful caput a amended lawsuit acquisition with each update.

Network infrastructure

In summation to piggybacking connected the C&C infrastructure utilized successful the PowerLess campaign, Ballistic Bobcat besides introduced a caller C&C server. The radical besides utilized aggregate IPs to store and present enactment tools during the Sponsoring Access campaign. We person confirmed that nary of these IPs are successful cognition astatine this time.


Ballistic Bobcat continues to run connected a scan-and-exploit model, looking for targets of accidental with unpatched vulnerabilities successful internet-exposed Microsoft Exchange servers. The radical continues to usage a divers open-source toolset supplemented with respective customized applications, including its Sponsor backdoor. Defenders would beryllium good advised to spot immoderate internet-exposed devices and stay vigilant for caller applications popping up wrong their organizations.

For immoderate inquiries astir our probe published connected WeLiveSecurity, delight interaction america at [email protected].
ESET Research offers backstage APT quality reports and information feeds. For immoderate inquiries astir this service, sojourn the ESET Threat Intelligence page.










Ballistic Bobcat backdoor, Sponsor (v1).




Ballistic Bobcat backdoor, Sponsor (v2).




Ballistic Bobcat backdoor, Sponsor (v3).




Ballistic Bobcat backdoor, Sponsor (v4).




Ballistic Bobcat backdoor, Sponsor (v5, aka Alumina).




RevSocks reverse tunnel.




ProcDump, a bid enactment inferior for monitoring applications and generating clang dumps.








GO Simple Tunnel (GOST).




Chisel reverse tunnel.




Host2IP find tool.




RevSocks tunnel, protected with the proceedings mentation of the Enigma Protector bundle protection.




Plink (PuTTY Link), a bid enactment transportation tool.




A password betterment instrumentality for passwords stored successful web browsers.




A instrumentality for interacting with, and extracting information from, SQL databases.

File paths

The pursuing is simply a database of paths wherever the Sponsor backdoor was deployed connected victimized machines.







%WINDIR%\INF\MSExchange Delivery DSN\






First seen

Last seen



Hetzner Online GMBH



PowerLess C&C.


M247 LTD



Sponsor C&C.





Support tools download site.


The Infrastructure Group B.V.



Support tools download site.

This array was built utilizing version 13 of the MITRE ATT&CK framework.







Active Scanning: Vulnerability Scanning

Ballistic Bobcat scans for susceptible versions of Microsoft Exchange Servers to exploit.

Resource Development


Develop Capabilities: Malware

Ballistic Bobcat designed and coded the Sponsor backdoor.


Obtain Capabilities: Tool

Ballistic Bobcat uses assorted open-source tools arsenic portion of the Sponsoring Access campaign.

Initial Access


Exploit Public-Facing Application

Ballistic Bobcat targets internet-exposed  Microsoft Exchange Servers.



Command and Scripting Interpreter: Windows Command Shell

The Sponsor backdoor uses the Windows bid ammunition to execute commands connected the victim’s system.


System Services: Service Execution

The Sponsor backdoor sets itself arsenic a work and initiates its superior functions aft the work is executed.



Create oregon Modify System Process: Windows Service

Sponsor maintains persistence by creating a work with automatic startup that executes its superior functions successful a loop.

Privilege Escalation


Valid Accounts: Local Accounts

Ballistic Bobcat operators effort to bargain credentials of valid users aft initially exploiting a strategy earlier deploying the Sponsor backdoor.

Defense Evasion


Deobfuscate/Decode Files oregon Information

Sponsor stores accusation connected disk that is encrypted and obfuscated, and deobfuscates it astatine runtime.


Obfuscated Files oregon Information

Configuration files that the Sponsor backdoor requires connected disk are encrypted and obfuscated.


Valid Accounts: Local Accounts

Sponsor is executed with admin privileges, apt utilizing credentials that operators recovered connected disk; on with Ballistic Bobcat’s innocuous naming conventions, this allows Sponsor to blend into the background.

Credential Access


Credentials from Password Stores: Credentials from Web Browsers

Ballistic Bobcat operators usage open-source tools to bargain credentials from password stores wrong web browsers.



Remote System Discovery

Ballistic Bobcat uses the Host2IP tool, antecedently utilized by Agrius, to observe different systems wrong reachable networks and correlate their hostnames and IP addresses.

Command and Control


Data Obfuscation

The Sponsor backdoor obfuscates information earlier sending it to the C&C server.

Read Entire Article