An Iran-aligned hacking group has been attributed to a brand new set of cyber assaults concentrating on Kurdish and Iraqi authorities officers in early 2024.
The exercise is tied to a menace group ESET tracks as BladedFeline, which is assessed with medium confidence to be a sub-cluster inside OilRig, a recognized Iranian nation-state cyber actor. It is stated to be lively since September 2017, when it focused officers related to the Kurdistan Regional Authorities (KRG).
“This group develops malware for sustaining and increasing entry inside organizations in Iraq and the KRG,” the Slovak cybersecurity firm stated in a technical report shared with The Hacker Information.
“BladedFeline has labored persistently to keep up illicit entry to Kurdish diplomatic officers, whereas concurrently exploiting a regional telecommunications supplier in Uzbekistan, and growing and sustaining entry to officers within the authorities of Iraq.”
BladedFeline was first documented by ESET in Might 2024 as a part of its APT Exercise Report This autumn 2023–Q1 2024, detailing the adversary’s assault on a governmental group from the Kurdistan area of Iraq and its concentrating on of the Uzbekistan telecom supplier that will have been compromised as early as Might 2022.
The group was found in 2023 following assaults geared toward Kurdish diplomatic officers with Shahmaran, a easy backdoor that checks in with a distant server and executes any operator-provided instructions on the contaminated host to add or obtain information, request particular file attributes, and supply a file and listing manipulation API.
Then final November, the cybersecurity agency stated it noticed the hacking crew orchestrating assaults towards Iran’s neighbors, notably regional and authorities entities in Iraq and diplomatic envoys from Iraq to numerous international locations, utilizing bespoke backdoors like Whisper (aka Veaty), Spearal, and Optimizer.
“BladedFeline has invested closely in gathering diplomatic and monetary data from Iraqi organizations, indicating that Iraq performs a big half within the strategic aims of the Iranian authorities,” ESET famous in November 2024. “Moreover, governmental organizations in Azerbaijan have been one other focus of BladedFeline.”
Whereas the precise preliminary entry vector used to get into KRG victims is unclear, it is suspected that the menace actors doubtless leveraged a vulnerability in an internet-facing utility to interrupt into Iraqi authorities networks and deploy the Flog net shell to keep up persistent distant entry.
 |
| The internal workings of the Whisper backdoor |
The wide selection of backdoors highlights BladedFeline’s dedication to refining its malware arsenal. Whisper is a C#/.NET backdoor that logs right into a compromised webmail account on a Microsoft Alternate server and makes use of it to speak with the attackers through e-mail attachments. Spearal is a .NET backdoor that makes use of DNS tunneling for command-and-control communication.
“Optimizer is an iterative replace on the Spearal backdoor. It makes use of the identical workflow and presents the identical options. The principle variations between Spearal and Optimizer are largely beauty,” the ESET analysis group informed The Hacker Information.
Choose assaults noticed in December 2023 have additionally concerned the deployment of a Python implant known as Slippery Snakelet that comes with restricted capabilities to execute instructions through “cmd.exe,” obtain information from an exterior URL, and add information.
The backdoors however, BladedFeline is notable for using varied tunneling instruments Laret and Pinar to keep up entry to focus on networks. Additionally put to make use of is a malicious IIS module dubbed PrimeCache, which ESET stated bears similarities to the RDAT backdoor utilized by OilRig APT.
A passive backdoor, PrimeCache works by protecting a watch out for incoming HTTP requests matching a predefined cookie header construction with the intention to course of instructions issued by the attacker and exfiltrate information.
It is this facet, coupled with the truth that two of OilRig’s instruments – RDAT and a reverse shell codenamed VideoSRV – have been found on a compromised KRG system in September 2017 and January 2018, respectively, has led to the chance that BladedFeline could also be a subgroup inside OilRig, but additionally totally different from Lyceum – a moniker assigned to a distinct sub-cluster.
The OilRig connection can be bolstered by a September 2024 report from Test Level, which pointed fingers on the Iranian hacking group for infiltrating the networks of Iraqi authorities networks and infecting them with Whisper and Spearal utilizing doubtless social engineering efforts.
ESET stated it recognized a malicious artifact named Hawking Listener that was uploaded to the VirusTotal platform in March 2024 by the identical get together that uploaded Flog. Hawking Listener is an early-stage implant that listens on a specified port to run instructions by way of “cmd.exe.”
“BladedFeline is concentrating on the KRG and the GOI for cyber espionage functions, with a watch towards sustaining strategic entry to high-ranking officers in each governmental entities,” the corporate concluded.
“The KRG’s diplomatic relationship with Western nations, coupled with the oil reserves within the Kurdistan area, makes it an attractive goal for Iran-aligned menace actors to spy on and doubtlessly manipulate. In Iraq, these menace actors are likely attempting to counter the affect of Western governments following the U.S. invasion and occupation of the nation.”
