• ESET Research have discovered a new backdoor, Sponsor, deployed by the Iran-aligned Ballistic Bobcat APT group. 
• Sponsor was deployed to at least 34 victims in Brazil, Israel, and the United Arab Emirates; we have named this activity the Sponsoring Access campaign.
• Ballistic Bobcat engaged in scan-and-exploit behavior, as opposed to a targeted campaign against preselected victims. The victims comprise diverse business verticals.
• The Sponsor backdoor uses configuration files stored on disk. These files are discreetly deployed by batch files, and deliberately designed to appear innocuous, in an attempt to evade detection by scanning engines.

BRATISLAVA, MONTREAL — September 11, 2023 — ESET researchers have discovered a campaign by the Ballistic Bobcat group, which is using a novel backdoor that ESET has named Sponsor. Ballistic Bobcat, previously tracked by ESET Research as APT35/APT42 (also known as Charming Kitten, TA453, or PHOSPHORUS), is a suspected Iran-aligned, advanced, persistent threat group that targets education, government, and healthcare organizations, as well as human rights activists and journalists. It is most active in Israel, the Middle East, and the United States. Its aim is cyberespionage, and a significant majority of the 34 victims were located in Israel, with only two located in Brazil and the UAE. In Israel, automotive, manufacturing, engineering, financial services, media, healthcare, technology and telecommunications verticals have been attacked.

For 16 of the 34 victims of the newly discovered campaign, named Sponsoring Access, it appears that Ballistic Bobcat was not the only threat actor with access to their systems. This may indicate, along with the wide variety of victims and the apparent lack of obvious intelligence value of a few victims, that Ballistic Bobcat engaged in scan-and-exploit behavior, as opposed to a targeted campaign against preselected victims.

Thus, Ballistic Bobcat continues to look for targets of opportunity with unpatched vulnerabilities in internet-exposed Microsoft Exchange servers. “The group continues to use a diverse, open-source toolset supplemented with several custom applications, including the newly discovered Sponsor backdoor. Defenders would be well advised to patch any internet-exposed devices and remain vigilant for new applications popping up within their organizations,” says ESET researcher Adam Burgher, who discovered the Sponsor backdoor and analyzed the latest Ballistic Bobcat campaign.

The Sponsor backdoor uses configuration files stored on disk. These files are discreetly deployed by batch files, and deliberately designed to appear innocuous, in an attempt to evade detection by scanning engines. Ballistic Bobcat deployed the new backdoor in September 2021, while it was wrapping up the campaign documented in CISA Alert AA21-321A and the PowerLess campaign.

During the pandemic, Ballistic Bobcat was targeting COVID-19-related organizations, including the World Health Organization and Gilead Pharmaceuticals, and medical research personnel.

For more technical information about Ballistic Bobcat and its Sponsoring Access campaign, check out the blogpost, “Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor,” on WeLiveSecurity. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

Geographical distribution of entities targeted by Ballistic Bobcat with the Sponsor backdoor

Organizations have increasingly become targets of hacking that result in massive data breaches, calling to attention both the increasing importance of proper cybersecurity software, but also an overall change in security strategy.

According to a recent report, the average cost of a data breach globally in 2022 reached a sum of $4.35 million, up from the previous year. In the United States alone, the average cost is as high as $9.44 million – a staggering number, with businesses increasing prices to accommodate for the resulting costs.

While mitigating cyber threats is challenging, having a sound security strategy to tackle threats is key. Among some of the strategies employed is data loss prevention (DLP), which should be a part of any company’s data protection repertoire.

What is data loss prevention, and how does it work?

DLP is designed to prevent accidental or intentional losses of data. The idea basically is to protect confidential data and information to prevent fraudulent access, both within a company and outside it.

Some of the ways DLP works and helps data protection is by classifying types of data into various categories, identifying security violations, and automating certain processes, so that data management becomes easier to handle. Flagging data into categories based on confidentiality or access level is just one-way DLP helps, as access management is important in mitigating potential loss in the form of unwanted leaks, for example.

For DLP to work, it can be done in-house by an internal IT team, but it can also be outsourced, depending on where the priorities of a business lie. With the sheer number of endpoint devices a company usually manages, it makes sense to use outside help to properly secure data on all of them, while letting their IT teams tackle other matters. However, just like any business, DLP companies can also be the targets of attacks.

The various types of DLP

DLP solutions are adaptable, so they can be easily configured to suit any company’s needs. Depending on this, a company can pick from different DLP types, as each one has its own strengths and weaknesses.

For example, endpoint DLP focuses on securing data on all company endpoints. It involves the implementation of user monitoring and other security policies to prevent data loss allowing for visibility into data usage on devices.

However, since data is not only stored or moves only through endpoint devices, there is also network DLP, which takes care of monitoring data in use across an organization’s network. It can easily identify and prevent unauthorized movement of data by leveraging its power to see how various forms of data move on the network, like who accessed what and when, which is very useful when looking for anomalous behavior.

Also worth mentioning is a different subsection of network DLP. While organizations are increasingly moving to adopt cloud services, protecting data stored on them is important. Hence why cloud DLP helps protect data stored by businesses on cloud repositories. Sometimes a business enables access to its cloud storage to partners, for example, in which case cloud DLP is very useful to ward off potential data security failures.

These three previously mentioned types of DLP solutions can also work together to provide comprehensive protection across different stages of data in motion – at rest, at motion, and in use. Implementing all three types can help organizations prevent data loss and maintain a proper data security posture.

Compliance – the added benefit of DLP

A company should have DLP for several reasons, including compliance with regulations, as many industries are subject to strict data protection and privacy regulations, such as the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), or the Payment Card Industry Data Security Standard (PCI DSS) among others.

Specifically, since GDPR involves stringent measures on respecting user privacy and data, DLP gives the right amount of protection to shield companies from potential issues stemming from data breaches, for example.

ESET and Data Loss Prevention

ESET, as part of its technology alliance, has a trusted partner in Safetica, offering data loss prevention services with Safetica ONE and Safetica NXT, to prevent data leakage, guide staff on data protection, and to stay compliant with regulations.

While ESET protects you by offering award-winning endpoint security and detection and response solutions through the ESET PROTECT Platform, Safetica’s products add another layer of protection, protecting data both inside and outside a company, being tough on insider threats and data loss in an era of hybrid work, during which endpoints and data can move all around the world.

To sum it up, having a well-functioning DLP toolset can help any organization in exercising proper data control. It is an enormously important component of any comprehensive data security strategy in today’s world of ever-evolving threats.

• ESET Research has discovered trojanized Signal and Telegram apps for Android, named Signal Plus Messenger and FlyGram, on Google Play and Samsung Galaxy Store; both apps were later removed from Google Play.
• Signal Plus Messenger represents the first documented case of spying on a victim’s Signal communications by secretly autolinking the compromised device to the attacker’s Signal device.
• The malicious code found in these apps is attributed to the BadBazaar malware family, which has been used in the past by a China-aligned APT group called GREF.
• Thousands of users downloaded the spy apps. ESET telemetry reported detections on Android devices in several EU countries, the United States, Ukraine, and other places worldwide.
• BadBazaar malware has previously been used to target Uyghurs and other Turkic ethnic minorities. FlyGram malware was also seen shared in an Uyghur Telegram group, which aligns with previous targeting by the BadBazaar malware family.

BRATISLAVA, KOŠICE — August 30, 2023 — ESET researchers have identified two active campaigns targeting Android users, where the threat actors behind the tools for Telegram and Signal are attributed to the China-aligned APT group GREF. Most likely active since July 2020 and since July 2022, respectively for each malicious app, the campaigns have distributed the Android BadBazaar espionage code through the Google Play store, Samsung Galaxy Store, and dedicated websites posing as legitimate encrypted chat applications — the malicious apps are FlyGram and Signal Plus Messenger. The threat actors achieved the functionalities in the fake Signal and Telegram apps by patching the open-source Signal and Telegram apps for Android with malicious code. Signal Plus Messenger is the first documented case of spying on a victim’s Signal communications; thousands of users downloaded the spy apps. ESET telemetry reported detections on Android devices in several EU countries, the United States, Ukraine, and other places worldwide. Both apps were later removed from Google Play.

“Malicious code from the BadBazaar family was hidden in trojanized Signal and Telegram apps, which provide victims a working app experience but with espionage happening in the background,” says ESET researcher Lukáš Štefanko, who made the discovery. “BadBazaar’s main purpose is to exfiltrate device information, the contact list, call logs, and the list of installed apps, and to conduct espionage on Signal messages by secretly linking the victim’s Signal Plus Messenger app to the attacker’s device,” he adds.

ESET telemetry reports detections from Australia, Brazil, Denmark, the Democratic Republic of the Congo, Germany, Hong Kong, Hungary, Lithuania, the Netherlands, Poland, Portugal, Singapore, Spain, Ukraine, the United States, and Yemen. Furthermore, a link to FlyGram in the Google Play store was also shared in a Uyghur Telegram group. Apps by the BadBazaar malware family previously have been used against Uyghurs and other Turkic ethnic minorities outside of China.

As a Google App Defense Alliance partner, ESET identified the most recent version of the Signal Plus Messenger as malicious and promptly shared its findings with Google. Following our alert, the app was removed from the Store. Both apps were created by the same developer and share the same malicious features, and the app descriptions on both stores refer to the same developer website.

After initial app start, the user has to log into Signal Plus Messenger via legitimate Signal functionality, just like they would with the official Signal app for Android. Once logged in, Signal Plus Messenger starts to communicate with its command and control (C&C) server. Signal Plus Messenger can spy on Signal messages by misusing the “link device” feature. It does this by automatically connecting the compromised device to the attacker’s Signal device. This method of spying is unique: ESET researchers haven’t seen this functionality being misused before by other malware, and this is the only method by which the attacker can obtain the content of Signal messages. ESET Research has informed Signal’s developers about this loophole.

With regard to the fake Telegram app, FlyGram, the victim has to log in via their legitimate Telegram functionality, as required by the official Telegram app. Before the login is complete, FlyGram starts to communicate with the C&C server and BadBazaar gains the ability to exfiltrate sensitive information from the device. FlyGram can access Telegram backups if the user has enabled a specific feature added by the attackers; the feature was activated by at least 13,953 user accounts. The attacker’s proxy server may be able to log some metadata, but it cannot decrypt the actual data and messages exchanged within Telegram itself. Unlike the Signal Plus Messenger, FlyGram lacks the ability to link a Telegram account to the attacker or intercept the encrypted communications of its victims.

For more technical information about the latest campaigns by GREF, concerning BadBazaar and the trojanized espionage apps, check out the blogpost “BadBazaar espionage tool targets Android users via trojanized Signal and Telegram apps” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

• Spacecolon is a small toolset used to deploy variants of Scarab ransomware to victims all over the world, and ESET Research believes it is of Turkish origin.
• Spacecolon’s operators, named CosmicBeetle by ESET, have no clear targeting, with highest detections in European countries, Turkey, and Mexico.
• Spacecolon can serve as a remote access trojan with the ability to extract sensitive information and/or deploy Scarab ransomware.
• CosmicBeetle probably compromises web servers vulnerable to the ZeroLogon or those with RDP credentials that it is able to brute force.
• CosmicBeetle appears to be preparing the distribution of new ransomware that we have named ScRansom.

BRATISLAVA, PRAGUE — August 22, 2023 — ESET Research has released its analysis of Spacecolon, a small toolset used to deploy variants of Scarab ransomware to victims all over the world. It likely penetrates victim organizations through operators compromising vulnerable web servers or via brute forcing RDP credentials. Several Spacecolon builds contain many Turkish strings; therefore, ESET believes it is written by a Turkish-speaking developer. ESET was able to track the origins of Spacecolon back to at least May 2020, and its campaigns are ongoing. ESET named Spacecolon’s operators CosmicBeetle to represent the link to “space” and “scarab.”

Spacecolon incidents identified by ESET telemetry encompass the globe, with high prevalence in European Union countries, such as Spain, France, Belgium, Poland, and Hungary; elsewhere, ESET has detected high prevalence in Turkey and Mexico. CosmicBeetle appears to be preparing the distribution of new ransomware — ScRansom. Post-compromise, along with installing ransomware, Spacecolon offers a large variety of third-party tools that allow the attackers to disable security products, extract sensitive information, and gain further access.

“We have not observed any pattern to Spacecolon’s victims besides them being vulnerable to the initial access methods employed by CosmicBeetle. Neither have we found any pattern among the targets’ areas of focus or size. However, to name a few (by type and geography), we have observed Spacecolon at a hospital and tourist resort in Thailand, an insurance company in Israel, a local governmental institution in Poland, an entertainment provider in Brazil, an environmental company in Turkey, and a school in Mexico,” says ESET researcher Jakub Souček, author of the analysis.

CosmicBeetle probably compromises web servers vulnerable to the ZeroLogon vulnerability or those with RDP credentials that it is able to brute force. Additionally, Spacecolon can provide backdoor access for its operators. CosmicBeetle doesn’t make any considerable effort to hide its malware and leaves plenty of artifacts on compromised systems.

After CosmicBeetle compromises a vulnerable web server, it deploys ScHackTool, the main Spacecolon component that CosmicBeetle uses. It relies heavily on its GUI and active participation of its operators; it allows them to orchestrate the attack, downloading and executing additional tools to the compromised machine on demand as they see fit. If the target is deemed valuable, CosmicBeetle can deploy ScInstaller and use it, e.g., to install ScService, which provides further remote access.

The final payload CosmicBeetle deploys is a variant of the Scarab ransomware. This variant internally deploys a ClipBanker, a type of malware that monitors the content of the clipboard and changes content that it deems likely to be a cryptocurrency wallet address to an attacker-controlled address.

Furthermore, a new ransomware family is being developed, with samples being uploaded to VirusTotal from Turkey. ESET Research believes with high confidence that it is written by the same developers as Spacecolon, and ESET has named it ScRansom. ScRansom attempts to encrypt all hard, removable, and remote drives. ESET has not observed this ransomware being deployed in the wild, and it appears to still be in a development stage.

For more technical information about Spacecolon and CosmicBeetle, check out the blogpost “Scarabs colon-izing vulnerable servers” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

Distribution of Spacecolon victims

Both your children’s, and your own cybersecurity, is nothing to take lightly. A lot of people opt to buy their children a smartphone before returning for a new school year. Understandably so. You want to be able to reach your kids, know when they´re getting home, where they are. A great way to do that is by using parental control.

But that is not the only protection your child´s and device needs. In the ever-so-changing threat landscape, mobile device protection should be one of the top priorities for both kids and adults. After getting a new phone, installing a security solution should be the first thing to do. And when getting your child a phone, teaching them how to stay safe and secure is a must.

A few digital security tips to follow and teach your kids:

• Use a strong passphrase
• Do not click on unknown attachments and links
• Keep your device up-to-date
• Do not share personal information online
• Back up your data regularly
• Do not leave your mobile phone unattended and unlocked

The most necessary Back to School supply?

A simple answer; digital security solutions. One that is easy to use, deploy and which covers most of your security needs. Our phones are powerful tools, one that can easily turn into a an issue if not secured properly. Keeping it safe is key to ensuring a smooth and safe Back to School period.

A great way to start is with ESET Mobile Security on your Android mobile devices. It’s a solution that ensures protection against a multitude of mobile threats while also securing users’ data.

ESET Mobile Security aims to provide a safe environment by leveraging its various security features, including: 

• Anti-Phishing- integrates with the most common web browsers (Chrome and many others) and protects you from most common phishing attempts
• Anti-Smishing – protects you from SMS and App notifications containing malicious links
• Antivirus – protection against malware: intercepts threats and cleans them from your device
• Payment protection – lets you shop and bank safely online
• App lock – requires extra authentication to access sensitive apps; protects content when you’re sharing a device
• Anti-Theft – a powerful feature to help protect your phone and find it if it goes missing
• Network inspector – scans your network and all connected devices to identify security gaps
• Call filter – blocks calls from specified numbers, contacts and unknown numbers
• Adware detector – identifies and removes apps that display ads unexpectedly
• Real-time scanning – scans all files and apps for malware
• Scheduled scans – checks your device every time you charge it, or whenever you want
• Security audit – checks an app’s permissions
• Security report – provides an overview of how secure your device is
• USB on-the-go scanner – checks any connected USB device for threats
• Up to 5 devices – pay once, protect 5 devices associated with the same Google account

ESET Mobile Security makes your Android phones and devices easy to find and harder to steal, and it helps to protect your valuable data.

If you want to protect your phone with ESET Mobile Security, you’re in luck! From August 21 to September 3, the premium version of ESET Mobile Security will be 50% off. No need for a promotional code; the discount will automatically be added to your checkout! It couldn’t be easier.

One-stop security supply shop
Deepening you digital security and developing knowledge about it is just as important these days as helping children navigate dealing with strangers. Educate yourself on the common security threats on WeLiveSecurity, an award-winning cybersecurity blog. Talk to your kids and guide them through wonders and pitfalls of the online world. Make sure they feel safe and welcome when coming to you with any and all issues.

Happy Back to School!

To better educate yourself and your children, visit saferkidsonline.eset.com.