Sponsor cu mustăți grupate: scanarea lui Ballistic Bobcat și lovirea ușii din spate

ESET researchers discovered a Ballistic Bobcat campaign targeting various entities in Brazil, Israel, and the United Arab Emirates, using a novel backdoor we have named Sponsor.

We discovered Sponsor after we analyzed an interesting sample we detected on a victim’s system in Israel in May 2022 and scoped the victim-set by country. Upon examination, it became evident to us that the sample was a novel backdoor deployed by the Ballistic Bobcat APT group.

Ballistic Bobcat, previously tracked by ESET Research as APT35/APT42 (aka Charming Kitten, TA453, or PHOSPHORUS), is a suspected Iran-aligned advanced persistent threat group that targets education, government, and healthcare organizations, as well as human rights activists and journalists. It is most active in Israel, the Middle East, and the United States. Notably, during the pandemic, it was targeting COVID-19-related organizations, including the World Health Organization and Gilead Pharmaceuticals, and medical research personnel.

Overlaps between Ballistic Bobcat campaigns and Sponsor backdoor versions show a fairly clear pattern of tool development and deployment, with narrowly targeted campaigns, each of limited duration. We subsequently discovered four other versions of the Sponsor backdoor. In total, we saw Sponsor deployed to at least 34 victims in Brazil, Israel, and the United Arab Emirates, as outlined in  REF _Ref143075975 h Figura 1
.

Puncte cheie ale acestei postări pe blog:

• We discovered a new backdoor deployed by Ballistic Bobcat that we subsequently named Sponsor.
• Ballistic Bobcat deployed the new backdoor in September 2021, while it was wrapping up the campaign documented in CISA Alert AA21-321A and the PowerLess campaign.
• The Sponsor backdoor uses configuration files stored on disk. These files are discreetly deployed by batch files and deliberately designed to appear innocuous, thereby attempting to evade detection by scanning engines.
• Sponsor was deployed to at least 34 victims in Brazil, Israel, and the United Arab Emirates; we have named this activity the Sponsoring Access campaign.

Acces inițial

Ballistic Bobcat obtained initial access by exploiting known vulnerabilities in internet-exposed Microsoft Exchange servers by first conducting meticulous scans of the system or network to identify potential weaknesses or vulnerabilities, and subsequently targeting and exploiting those identified weaknesses. The group has been known to engage in this behavior for some time. However, many of the 34 victims identified in ESET telemetry might best be described as victims of opportunity rather than preselected and researched victims, as we suspect Ballistic Bobcat engaged in the above-described scan-and-exploit behavior because it was not the only threat actor with access to these systems. We have named this Ballistic Bobcat activity utilizing the Sponsor backdoor the Sponsoring Access campaign.

The Sponsor backdoor uses configuration files on disk, dropped by batch files, and both are innocuous so as to bypass scanning engines. This modular approach is one that Ballistic Bobcat has used quite often and with modest success in the past two and a half years. On compromised systems, Ballistic Bobcat also continues to use a variety of open-source tools, which we describe – together with the Sponsor backdoor – in this blogpost.

victimologie

A significant majority of the 34 victims were located in Israel, with only two located in other countries:

• Brazil, at a medical cooperative and health insurance operator, and
• the United Arab Emirates, at an unidentified organization.

 REF _Ref112861418 h Tabel 1
describes the verticals, and organizational details, for victims in Israel.

Tabel  Tabelul SEQ * în arabă 1. Verticals and organizational details for victims in Israel

Vertical	Detalii
Automotive	·       An automotive company specializing in custom modifications. ·       An automotive repair and maintenance company.
Comunicații	·       An Israeli media outlet.
Inginerie	·       A civil engineering firm. ·       An environmental engineering firm. ·       An architectural design firm.
Servicii financiare	·       A financial services company that specializes in investment counseling. ·       A company that manages royalties.
Farmaceutice	·       A medical care provider.
Asigurări	·       An insurance company that operates an insurance marketplace. ·       A commercial insurance company.
Drept	·       A firm specializing in medical law.
de fabricație	·       Multiple electronics manufacturing companies. ·       A company that manufactures metal-based commercial products. ·       A multinational technology manufacturing company.
Cu amănuntul	·       A food retailer. ·       A multinational diamond retailer. ·       A skin care products retailer. ·       A window treatment retailer and installer. ·       A global electronic parts supplier. ·       A physical access control supplier.
Tehnologia	·       An IT services technology company. ·       An IT solutions provider.
Telecomunicaţii	·       A telecommunications company.
neidentificat	·       Multiple unidentified organizations.

atribuire

In August 2021, the Israeli victim above that operates an insurance marketplace was attacked by Ballistic Bobcat with the tools CISA reported in November 2021. The indicators of compromise we observed are:

• MicrosoftOutlookUpdateSchedule,
• MicrosoftOutlookUpdateSchedule.xml,
• GoogleChangeManagement, și
• GoogleChangeManagement.xml.

Ballistic Bobcat tools communicated with the same command and control (C&C) server as in the CISA report: 162.55.137[.]20.

Then, in September 2021, the same victim received the next generation of Ballistic Bobcat tools: the PowerLess backdoor and its supporting toolset. The indicators of compromise we observed were:

• http://162.55.137[.]20/gsdhdDdfgA5sS/ff/dll.dll,
• windowsprocesses.exe, și
• http://162.55.137[.]20/gsdhdDdfgA5sS/ff/windowsprocesses.exe.

În noiembrie 18^th, 2021, the group then deployed another tool (Plink) that was covered in the CISA report, as MicrosoftOutLookUpdater.exe. Ten days later, on November 28^th, 2021, Ballistic Bobcat deployed the Merlin agent (the agent portion of an open-source post-exploitation C&C server and agent written in Go). On disk, this Merlin agent was named googleUpdate.exe, using the same naming convention as described in the CISA report to hide in plain sight.

The Merlin agent executed a Meterpreter reverse shell that called back to a new C&C server, 37.120.222[.]168:80. Pe 12 decembrie^th, 2021, the reverse shell dropped a batch file, install.bat, and within minutes of executing the batch file, Ballistic Bobcat operators pushed their newest backdoor, Sponsor. This would turn out to be the third version of the backdoor.

Analiza tehnica

Acces inițial

We were able to identify a likely means of initial access for 23 of the 34 victims that we observed in ESET telemetry. Similar to what was reported in the Fără putere și CISA reports, Ballistic Bobcat probably exploited a known vulnerability, CVE-2021-26855, in Microsoft Exchange servers to gain a foothold on these systems.

For 16 of the 34 victims, it appears Ballistic Bobcat was not the only threat actor with access to their systems. This may indicate, along with the wide variety of victims and the apparent lack of obvious intelligence value of a few victims, that Ballistic Bobcat engaged in scan-and-exploit behavior, as opposed to a targeted campaign against preselected victims.

Set de scule

Instrumente open-source

Ballistic Bobcat employed a number of open-source tools during the Sponsoring Access campaign. Those tools and their functions are listed in  REF _Ref112861458 h Tabel 2
.

Tabel  Tabelul SEQ * în arabă 2. Open-source tools used by Ballistic Bobcat

Filename	Descriere
host2ip.exe	Maps a hostname to an IP address within the local network.
CSRSS.EXE	RevSocks, a reverse tunnel application.
mi.exe	Mimikatz, with an original filename of midongle.exe și împachetat cu Armadillo PE packer.
gost.exe	GO Simple Tunnel (GOST), a tunneling application written in Go.
chisel.exe	Daltă, a TCP/UDP tunnel over HTTP using SSH layers.
csrss_protected.exe	RevSocks tunnel, protected with the trial version of the Enigma Protector software protection.
plink.exe	Plink (PuTTY Link), a command line connection tool.
WebBrowserPassView.exe	A instrument de recuperare a parolei for passwords stored in web browsers.
sqlextractor.exe	A instrument for interacting with, and extracting data from, SQL databases.
procdump64.exe	ProcDump, A  Sysinternals command line utility for monitoring applications and generating crash dumps.

Fișiere lot

Ballistic Bobcat deployed batch files to victims’ systems moments before deploying the Sponsor backdoor. File paths we are aware of are:

• C:inetpubwwwrootaspnet_clientInstall.bat
• %USERPROFILE%DesktopInstall.bat
• %WINDOWS%TasksInstall.bat

Unfortunately, we were unable to obtain any of these batch files. However, we believe they write innocuous configuration files to disk, which the Sponsor backdoor requires to function fully. These configuration filenames were taken from the Sponsor backdoors but were never collected:

• config.txt
• node.txt
• error.txt
• Uninstall.bat

We believe that the batch files and configuration files are part of the modular development process that Ballistic Bobcat has favored over the past few years.

Sponsor backdoor

Sponsor backdoors are written in C++ with compilation timestamps and Program Database (PDB) paths as shown in  REF _Ref112861527 h Tabel 3
. A note on version numbers: the column Versiune represents the version that we track internally based on the linear progression of Sponsor backdoors where changes are made from one version to the next. The Versiune internă column contains the version numbers observed in each Sponsor backdoor and are included for ease of comparison when examining these and other potential Sponsor samples.

Tabel 3. Sponsor compilation timestamps and PDBs

Versiune	Versiune internă	Compilation timestamp	PPB
1	1.0.0	2021-08-29 09:12:51	D:TempBD_Plus_SrvcReleaseBD_Plus_Srvc.pdb
2	1.0.0	2021-10-09 12:39:15	D:TempSponsorReleaseSponsor.pdb
3	1.4.0	2021-11-24 11:51:55	D:TempSponsorReleaseSponsor.pdb
4	2.1.1	2022-02-19 13:12:07	D:TempSponsorReleaseSponsor.pdb
5	1.2.3.0	2022-06-19 14:14:13	D:TempAluminaReleaseAlumina.pdb

The initial execution of Sponsor requires the runtime argument instala, without which Sponsor gracefully exits, likely a simple anti-emulation/anti-sandbox technique. If passed that argument, Sponsor creates a service called SystemNetwork (În v1) Şi Actualizează (in all the other versions). It sets the service’s Tipul de pornire la Automat, and sets it to run its own Sponsor process, and grants it full access. It then starts the service.

Sponsor, now running as a service, attempts to open the aforementioned configuration files previously placed on disk. It looks for config.txt și node.txt, both in the current working directory. If the first is missing, Sponsor sets the service to Oprit and gracefully exits.

Backdoor configuration

Sponsor’s configuration, stored in config.txt, contains two fields:

• An update interval, in seconds, to periodically contact the C&C server for commands.
• A list of C&C servers, referred to as relee in Sponsor’s binaries.

The C&C servers are stored encrypted (RC4), and the decryption key is present in the first line of config.txt. Each of the fields, including the decryption key, have the format shown in  REF _Ref142647636 h Figura 3
.

These subfields are:

• config_start: indicates the length of config_name, if present, or zero, if not. Used by the backdoor to know where date_config începe.
• config_len: length of date_config.
• config_name: optional, contains a name given to the configuration field.
• date_config: the configuration itself, encrypted (in the case of C&C servers) or not (all the other fields).

 REF _Ref142648473 h Figura 4
shows an example with color-coded contents of a possible config.txt file. Note that this is not an actual file we observed, but a fabricated example.

The last two fields in config.txt are encrypted with RC4, using the string representation of the SHA-256 hash of the specified decryption key, as the key to encrypt the data. We see that the encrypted bytes are stored hex-encoded as ASCII text.

Colectarea informațiilor despre gazdă

Sponsor gathers information about the host on which it is running, reports all of the gathered information to the C&C server, and receives a node ID, which is written to node.txt.  REF _Ref142653641 h Tabel 4
REF _Ref112861575 h
 lists keys and values in the Windows registry that Sponsor uses to get the information, and provides an example of the data collected.

Table 4. Information gathered by Sponsor

Cheie de registru	Valoare	Exemplu
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters	Nume de gazdă	D-835MK12
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTimeZoneInformation	TimeZoneKeyName	Israel Standard Time
HKEY_USERS.DEFAULTControl PanelInternational	LocaleName	el-IL
HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSsystemBIOS	BaseBoardProduct	10NX0010IL
HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemCentralProcessor	ProcessorNameString	Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersion	Numele produsului	Windows 10 Enterprise N
	Versiune curentă	6.3
	CurrentBuildNumber	19044
	InstallationType	Client

Sponsor also collects the host’s Windows domain by using the following WMIC comanda:

wmic computersystem get domain

Lastly, Sponsor uses Windows APIs to collect the current username (GetUserNameW), determine if the current Sponsor process is running as a 32- or 64-bit application (GetCurrentProcess, Apoi IsWow64Process(CurrentProcess)), and determines whether the system is running on battery power or connected to an AC or DC power source (GetSystemPowerStatus).

One oddity regarding the 32- or 64-bit application check is that all observed samples of Sponsor were 32-bit. This could mean that some of the next stage tools require this information.

The collected information is sent in a base64-encoded message that, before encoding, starts with r and has the format shown in  REF _Ref142655224 h Figura 5
.

The information is encrypted with RC4, and the encryption key is a random number generated on the spot. The key is hashed with the MD5 algorithm, not SHA-256 as previously mentioned. This is the case for all communications where Sponsor has to send encrypted data.

The C&C server replies with a number used to identify the victimized computer in later communications, which is written to node.txt. Note that the C&C server is randomly chosen from the list when the r message is sent, and the same server is used in all subsequent communications.

Command processing loop

Sponsor requests commands in a loop, sleeping according to the interval defined in config.txt. Pașii sunt:

1. Trimite o chk=Test message repeatedly, until the C&C server replies Ok.
2. Trimite o c (IS_CMD_AVAIL) message to the C&C server, and receive an operator command.
3. Process the command.
   • If there is output to be sent to the C&C server, send an a (ACK) message, including the output (encrypted), or
   • If execution failed, send an f (A EȘUAT) message. The error message is not sent.
4. Dormi.

c message is sent to request a command to execute, and has the format (before base64 encoding) shown in  REF _Ref142658017 h Figura 6
.

encrypted_none field in the figure is the result of encrypting the hardcoded string Nici unul with RC4. The key for encryption is the MD5 hash of nod_id.

The URL used to contact the C&C server is built as: http://<IP_or_domain>:80. This may indicate that 37.120.222[.]168:80 is the only C&C server used throughout the Sponsoring Access campaign, as it was the only IP address we observed victim machines reaching out to on port 80.

Operator commands

Operator commands are delineated in  REF _Ref112861551 h Tabel 5
and appear in the order in which they are found in the code. Communication with the C&C server occurs over port 80.

Table 5. Operator commands and descriptions

Comandă	Descriere
p	Sends the process ID for the running Sponsor process.
e	Executes a command, as specified in a subsequent additional argument, on the Sponsor host using the following string: c:windowssystem32cmd.exe /c    > result.txt 2>&1 Rezultatele sunt stocate în rezultat.txt in the current working directory. Sends an a message with the encrypted output to the C&C server if successfully executed. If failed, sends an f message (without specifying the error).
d	Receives a file from the C&C server and executes it. This command has many arguments: the target filename to write the file into, the MD5 hash of the file, a directory to write the file to (or the current working directory, by default), a Boolean to indicate whether to run the file or not, and the contents of the executable file, base64-encoded. If no errors occur, an a message is sent to the C&C server with Upload and execute file successfully or Upload file successfully without execute (encrypted). If errors occur during execution of the file, an f message is sent. If the MD5 hash of the contents of the file does not match the provided hash, an e (CRC_ERROR) message is sent to the C&C server (including only the encryption key used, and no other information). The use of the term Încărcați here is potentially confusing as the Ballistic Bobcat operators and coders take the point of view from the server side, whereas many might view this as a download based on the pulling of the file (i.e., downloading it) by the system using the Sponsor backdoor.
u	Attempts to download a file using the URLDownloadFileW Windows API and execute it. Success sends an a message with the encryption key used, and no other information. Failure sends an f message with a similar structure.
s	Executes a file already on disk, Uninstall.bat in the current working directory, that most likely contains commands to delete files related to the backdoor.
n	This command can be explicitly supplied by an operator or can be inferred by Sponsor as the command to execute in the absence of any other command. Referred to within Sponsor as NO_CMD, it executes a randomized sleep before checking back in with the C&C server.
b	Updates the list of C&Cs stored in config.txt in the current working directory. The new C&C addresses replace the previous ones; they are not added to the list. It sends an a mesaj cu New relays replaced successfully (encrypted) to the C&C server if successfully updated.
i	Updates the predetermined check-in interval specified in config.txt. It sends an a mesaj cu New interval replaced successfully to the C&C server if successfully updated.

Updates to Sponsor

Ballistic Bobcat coders made code revisions between Sponsor v1 and v2. The two most significant changes in the latter are:

• Optimization of code where several longer functions were minimized into functions and subfunctions, and
• Disguising Sponsor as an updater program by including the following message in the service configuration:

App updates are great for both app users and apps – updates mean that developers are always working on improving the app, keeping in mind a better customer experience with each update.

Infrastructura retelei

In addition to piggybacking on the C&C infrastructure used in the PowerLess campaign, Ballistic Bobcat also introduced a new C&C server. The group also utilized multiple IPs to store and deliver support tools during the Sponsoring Access campaign. We have confirmed that none of these IPs are in operation at this time.

Concluzie

Ballistic Bobcat continues to operate on a scan-and-exploit model, looking for targets of opportunity with unpatched vulnerabilities in internet-exposed Microsoft Exchange servers. The group continues to use a diverse open-source toolset supplemented with several custom applications, including its Sponsor backdoor. Defenders would be well advised to patch any internet-exposed devices and remain vigilant for new applications popping up within their organizations.

Pentru orice întrebări despre cercetarea noastră publicată pe WeLiveSecurity, vă rugăm să ne contactați la threatintel@eset.com.
ESET Research oferă rapoarte private de informații APT și fluxuri de date. Pentru orice întrebări despre acest serviciu, vizitați ESET Threat Intelligence .

IoC-uri

Fişiere

SHA-1	Filename	Detectare	Descriere
098B9A6CE722311553E1D8AC5849BA1DC5834C52	-	Win32/Agent.UXG	Ballistic Bobcat backdoor, Sponsor (v1).
5AEE3C957056A8640041ABC108D0B8A3D7A02EBD	-	Win32/Agent.UXG	Ballistic Bobcat backdoor, Sponsor (v2).
764EB6CA3752576C182FC19CFF3E86C38DD51475	-	Win32/Agent.UXG	Ballistic Bobcat backdoor, Sponsor (v3).
2F3EDA9D788A35F4C467B63860E73C3B010529CC	-	Win32/Agent.UXG	Ballistic Bobcat backdoor, Sponsor (v4).
E443DC53284537513C00818392E569C79328F56F	-	Win32/Agent.UXG	Ballistic Bobcat backdoor, Sponsor (v5, aka Alumina).
C4BC1A5A02F8AC3CF642880DC1FC3B1E46E4DA61	-	WinGo/Agent.BT	RevSocks reverse tunnel.
39AE8BA8C5280A09BA638DF4C9D64AC0F3F706B6	-	curat	ProcDump, a command line utility for monitoring applications and generating crash dumps.
A200BE662CDC0ECE2A2C8FC4DBBC8C574D31848A	-	Generik.EYWYQYF	Mimikatz.
5D60C8507AC9B840A13FFDF19E3315A3E14DE66A	-	WinGo/Riskware.Gost.D	GO Simple Tunnel (GOST).
50CFB3CF1A0FE5EC2264ACE53F96FADFE99CC617	-	WinGo/HackTool.Chisel.A	Chisel reverse tunnel.
1AAE62ACEE3C04A6728F9EDC3756FABD6E342252	-	-	Host2IP discovery tool.
519CA93366F1B1D71052C6CE140F5C80CE885181	-	Win64/Packed.Enigma.BV	RevSocks tunnel, protected with the trial version of the Enigma Protector software protection.
4709827C7A95012AB970BF651ED5183083366C79	-	-	Plink (PuTTY Link), a command line connection tool.
99C7B5827DF89B4FAFC2B565ABED97C58A3C65B8	-	Win32/PSWTool.WebBrowserPassView.I	A password recovery tool for passwords stored in web browsers.
E52AA118A59502790A4DD6625854BD93C0DEAF27	-	MSIL/HackTool.SQLDump.A	A tool for interacting with, and extracting data from, SQL databases.

 

Căile fișierelor

The following is a list of paths where the Sponsor backdoor was deployed on victimized machines.

%SYSTEMDRIVE%inetpubwwwrootaspnet_client

%USERPROFILE%AppDataLocalTempfile

%USERPROFILE%AppDataLocalTemp2low

%USERPROFILE%Desktop

%USERPROFILE%Downloadsa

%WINDIR%

%WINDIR%INFMSExchange Delivery DSN

%WINDIR%Tasks

%WINDIR%Temp%WINDIR%Tempcrashpad1Files

Reţea

IP	Furnizor de	Prima dată văzut	Vazut ultima data	Detalii
162.55.137[.]20	Hetzner Online GMBH	2021-06-14	2021-06-15	PowerLess C&C.
37.120.222[.]168	M247 LTD	2021-11-28	2021-12-12	Sponsor C&C.
198.144.189[.]74	Colocrossing	2021-11-29	2021-11-29	Support tools download site.
5.255.97[.]172	The Infrastructure Group B.V.	2021-09-05	2021-10-28	Support tools download site.

Acest tabel a fost construit folosind Versiunea 13 din cadrul MITRE ATT&CK.

tactică	ID	Nume si Prenume	Descriere
Recunoaştere	T1595	Scanare activă: Scanare vulnerabilități	Ballistic Bobcat scans for vulnerable versions of Microsoft Exchange Servers to exploit.
Dezvoltarea resurselor	T1587.001	Dezvoltarea capacităților: Malware	Ballistic Bobcat designed and coded the Sponsor backdoor.
	T1588.002	Obține Capabilități: Instrument	Ballistic Bobcat uses various open-source tools as part of the Sponsoring Access campaign.
Acces inițial	T1190	Exploatați aplicația destinată publicului	Ballistic Bobcat targets internet-exposed  Microsoft Exchange Servers.
Execuție	T1059.003	Interpret de comandă și scripting: Windows Command Shell	The Sponsor backdoor uses the Windows command shell to execute commands on the victim’s system.
	T1569.002	Servicii de sistem: Execuție serviciu	The Sponsor backdoor sets itself as a service and initiates its primary functions after the service is executed.
Persistență	T1543.003	Creați sau modificați procesul de sistem: Serviciu Windows	Sponsor maintains persistence by creating a service with automatic startup that executes its primary functions in a loop.
Privilegiul escaladării	T1078.003	Conturi valide: Conturi locale	Ballistic Bobcat operators attempt to steal credentials of valid users after initially exploiting a system before deploying the Sponsor backdoor.
Evaziunea apărării	T1140	Deofuscați/Decodificați fișierele sau informațiile	Sponsor stores information on disk that is encrypted and obfuscated, and deobfuscates it at runtime.
	T1027	Fișiere sau informații ofucate	Configuration files that the Sponsor backdoor requires on disk are encrypted and obfuscated.
	T1078.003	Conturi valide: Conturi locale	Sponsor is executed with admin privileges, likely using credentials that operators found on disk; along with Ballistic Bobcat’s innocuous naming conventions, this allows Sponsor to blend into the background.
Acces la acreditări	T1555.003	Acreditări din magazinele de parole: acreditări din browsere web	Ballistic Bobcat operators use open-source tools to steal credentials from password stores inside web browsers.
Descoperire	T1018	Descoperirea sistemului de la distanță	Ballistic Bobcat uses the Host2IP tool, previously used by Agrius, to discover other systems within reachable networks and correlate their hostnames and IP addresses.
Comandă și Control	T1001	Ofucarea datelor	The Sponsor backdoor obfuscates data before sending it to the C&C server.

• Distribuție de conținut bazat pe SEO și PR. Amplifică-te astăzi.
• PlatoData.Network Vertical Generative Ai. Împuterniciți-vă. Accesați Aici.
• PlatoAiStream. Web3 Intelligence. Cunoștințe amplificate. Accesați Aici.
• PlatoESG. Automobile/VE-uri, carbon, CleanTech, Energie, Mediu inconjurator, Solar, Managementul deșeurilor. Accesați Aici.
• PlatoHealth. Biotehnologie și Inteligență pentru studii clinice. Accesați Aici.
• ChartPrime. Crește-ți jocul de tranzacționare cu ChartPrime. Accesați Aici.
• BlockOffsets. Modernizarea proprietății de compensare a mediului. Accesați Aici.
• Sursa: https://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/