An Iran-aligned hacking group has been attributed to a brand new set of cyber assaults concentrating on Kurdish and Iraqi authorities officers in early 2024.
The exercise is tied to a risk group ESET tracks as BladedFeline, which is assessed with medium confidence to be a sub-cluster inside OilRig, a recognized Iranian nation-state cyber actor. It is mentioned to be energetic since September 2017, when it focused officers related to the Kurdistan Regional Authorities (KRG).
“This group develops malware for sustaining and increasing entry inside organizations in Iraq and the KRG,” the Slovak cybersecurity firm mentioned in a technical report shared with The Hacker Information.
“BladedFeline has labored persistently to keep up illicit entry to Kurdish diplomatic officers, whereas concurrently exploiting a regional telecommunications supplier in Uzbekistan, and growing and sustaining entry to officers within the authorities of Iraq.”
BladedFeline was first documented by ESET in Might 2024 as a part of its APT Exercise Report This fall 2023–Q1 2024, detailing the adversary’s assault on a governmental group from the Kurdistan area of Iraq and its concentrating on of the Uzbekistan telecom supplier that will have been compromised as early as Might 2022.
The group was found in 2023 following assaults aimed toward Kurdish diplomatic officers with Shahmaran, a easy backdoor that checks in with a distant server and executes any operator-provided instructions on the contaminated host to add or obtain recordsdata, request particular file attributes, and supply a file and listing manipulation API.
Then final November, the cybersecurity agency mentioned it noticed the hacking crew orchestrating assaults towards Iran’s neighbors, significantly regional and authorities entities in Iraq and diplomatic envoys from Iraq to numerous international locations, utilizing bespoke backdoors like Whisper (aka Veaty), Spearal, and Optimizer.
“BladedFeline has invested closely in gathering diplomatic and monetary info from Iraqi organizations, indicating that Iraq performs a big half within the strategic targets of the Iranian authorities,” ESET famous in November 2024. “Moreover, governmental organizations in Azerbaijan have been one other focus of BladedFeline.”
Whereas the precise preliminary entry vector used to get into KRG victims is unclear, it is suspected that the risk actors probably leveraged a vulnerability in an internet-facing software to interrupt into Iraqi authorities networks and deploy the Flog net shell to keep up persistent distant entry.
The internal workings of the Whisper backdoor
The wide selection of backdoors highlights BladedFeline’s dedication to refining its malware arsenal. Whisper is a C#/.NET backdoor that logs right into a compromised webmail account on a Microsoft Change server and makes use of it to speak with the attackers by way of e mail attachments. Spearal is a .NET backdoor that makes use of DNS tunneling for command-and-control communication.
Choose assaults noticed in December 2023 have additionally concerned the deployment of a Python implant known as Slippery Snakelet that comes with restricted capabilities to execute instructions by way of “cmd.exe,” obtain recordsdata from an exterior URL, and add recordsdata.
The backdoors however, BladedFeline is notable for using varied tunneling instruments Laret and Pinar to keep up entry to focus on networks. Additionally put to make use of is a malicious IIS module dubbed PrimeCache, which ESET mentioned bears similarities to the RDAT backdoor utilized by OilRig APT.
A passive backdoor, PrimeCache works by maintaining an eye fixed out for incoming HTTP requests matching a predefined cookie header construction as a way to course of instructions issued by the attacker and exfiltrate recordsdata.
It is this facet, coupled with the truth that two of OilRig’s instruments – RDAT and a reverse shell codenamed VideoSRV – have been found on a compromised KRG system in September 2017 and January 2018, respectively, has led to the chance that BladedFeline could also be a subgroup inside OilRig, but additionally totally different from Lyceum – a moniker assigned to a special sub-cluster.
The OilRig connection can be strengthened by a September 2024 report from Examine Level, which pointed fingers on the Iranian hacking group for infiltrating the networks of Iraqi authorities networks and infecting them with Whisper and Spearal utilizing probably social engineering efforts.
ESET mentioned it recognized a malicious artifact named Hawking Listener that was uploaded to the VirusTotal platform in March 2024 by the identical occasion that uploaded Flog. Hawking Listener is an early-stage implant that listens on a specified port to run instructions by means of “cmd.exe.”
“BladedFeline is concentrating on the KRG and the GOI for cyber espionage functions, with an eye fixed towards sustaining strategic entry to high-ranking officers in each governmental entities,” the corporate concluded.
“The KRG’s diplomatic relationship with Western nations, coupled with the oil reserves within the Kurdistan area, makes it an attractive goal for Iran-aligned risk actors to spy on and probably manipulate. In Iraq, these risk actors are likely making an attempt to counter the affect of Western governments following the U.S. invasion and occupation of the nation.”
Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we put up.
