In 2024, ESET researchers found a number of malicious instruments within the programs utilized by Kurdish and Iraqi authorities officers. The APT group behind the assaults is BladedFeline, an Iranian menace actor that has been energetic since at the least 2017, when it compromised officers inside the Kurdistan Regional Government (KRG). This group develops malware for sustaining and increasing entry inside organizations in Iraq and the KRG. While that is our first blogpost protecting BladedFeline, we found the group in 2023, after it focused Kurdish diplomatic officers with the Shahmaran backdoor, and beforehand reported on its actions in ESET APT Activity studies This autumn 2023-Q1 2024 and Q2 2024-Q3 2024.
The array of instruments utilized within the current marketing campaign reveals that since deploying Shahmaran, BladedFeline has continued to develop its arsenal. We discovered two reverse tunnels, a wide range of supplementary instruments, and most notably, a backdoor that we named Whisper and a malicious IIS module we dubbed PrimeCache. Whisper is a backdoor that logs right into a compromised webmail account on a Microsoft Exchange server and makes use of it to speak with the attackers by way of e-mail attachments. PrimeCache additionally serves as a backdoor: it’s a malicious IIS module associated to what we known as Group 2 in our 2021 paper Anatomy of native IIS malware. Significantly, PrimeCache additionally bears similarities to the RDAT backdoor utilized by the Iran-aligned OilRig APT group.
Based on these code similarities, in addition to on additional proof introduced on this blogpost, we assess with medium confidence that BladedFeline is a subgroup of OilRig, an Iran-aligned APT group going after governments and companies within the Middle East. We have beforehand reported on different exercise linked to OilRig. To keep away from confusion, we now have since refined our OilRig monitoring, and we now observe each of these operations beneath a separate subgroup – Lyceum – inside OilRig.
BladedFeline has labored persistently to keep up illicit entry to Kurdish diplomatic officers, whereas concurrently exploiting a regional telecommunications supplier in Uzbekistan, and creating and sustaining entry to officers within the authorities of Iraq. This blogpost particulars the technical facets of the preliminary implants delivered to BladedFeline’s targets, the hyperlinks between the victims, and lays the groundwork for associating this subgroup with OilRig.
Key factors of the blogpost:
- BladedFeline compromised officers inside the Kurdistan Regional Government at the least as early as 2017.
- The preliminary implants used there may be traced again to OilRig.
- We found BladedFeline after its operators compromised Kurdish diplomatic officers with the group’s Shahmaran signature backdoor in 2023.
- This APT group has additionally infiltrated high-ranking officers inside the authorities of Iraq.
- We assess with medium confidence that BladedFeline is a subgroup inside OilRig.
- We analyze two reverse tunnels (Laret and Pinar), a backdoor (Whisper), a malicious IIS module (PrimeCache), and numerous supplementary instruments.
BladedFeline overview
BladedFeline is an Iran-aligned cyberespionage group, energetic since at the least 2017 in keeping with ESET telemetry. We found the group in 2023 when it deployed its Shahmaran backdoor towards Kurdish diplomatic officers. Shahmaran, named after a legendary half-snake, half-woman creature from Iranian folklore, is a 64-bit transportable executable that we discovered within the goal’s Startup listing. This easy backdoor doesn’t use any compression or encryption for community communications. After checking in with the C&C server, the backdoor executes any operator instructions offered, which embrace importing and downloading further recordsdata, requesting particular file attributes and offering file and listing manipulation API.
As evidenced by the marketing campaign toolset we describe on this blogpost; since deploying Shahmaran, BladedFeline has continued to develop its malware in an effort to retain and even additional prolong its entry to the KRG and to excessive ranges inside the authorities of Iraq (GOI). We uncovered the marketing campaign in 2024 after discovering BladedFeline’s Whisper backdoor, PrimeCache IIS backdoor, and a set of post-compromise instruments within the networks of Kurdish diplomatic officers, Iraqi authorities officers, and a regional telecommunications supplier in Uzbekistan.
We detected and picked up one model of Whisper and located one other on VirusTotal, uploaded by a consumer in Iraq. They are nearly equivalent, and we have been in a position to decide the probably identification of the VirusTotal uploader, based mostly on knowledge within the Whisper pattern and different samples uploaded beneath the identical submitter ID. PrimeCache, Flog (a webshell), and Hawking Listener (an early-stage implant that listens on a specified port) have been all uploaded to VirusTotal by the identical submitter ID who uploaded the Whisper samples. Based on the Whisper hyperlink and the shut timeframe (each have been uploaded inside a matter of minutes) we imagine it was deployed by BladedFeline to a sufferer in Iraq’s authorities. Some of the instruments talked about beneath within the Timeline are mentioned later within the report (e.g., Slippery Snakelet).
Timeline
2017-09-21 ● VideoSRV reverse shell on KRG system
|
2018-01-30 ● RDAT backdoor on KRG system
|
2019-07-09 ● Custom Plink on KRG system
|
2021-05-01 ● Sheep Tunneler on KRG system
|
2023-01-23 ● LSASS dumped on KRG system
|
2023-02-01 ● Shahmaran backdoor on KRG system
|
2023-03-25 ● First sufferer focused at a telecommunications firm in Uzbekistan
|
2023-06-12 ● Shahmaran model 2 on KRG system for entry upkeep
|
2023-12-14 ● BladedFeline operators executing CLI instructions on KRG system
|
2023-12-16 ● Slippery Snakelet backdoor on KRG system
|
2023-12-20 ● P.S. Olala (a EnergyShell executor) on KRG system
|
2023-12-20 ● PsExec on KRG system
|
2024-01-07 ● Whisper backdoor on KRG system
|
2024-02-01 ● Laret reverse tunnel on KRG system
|
2024-02-20 ● Pinar reverse tunnel on KRG system
|
2024-02-29 ● PrimeCache malicious IIS module uploaded to VirusTotal
|
2024-03-11 ● Whisper model 2, Flog, and Hawking Listener uploaded to VirusTotal
Attribution
Our attribution of this marketing campaign to BladedFeline is predicated on the next:
- The marketing campaign targets members of the KRG, as have earlier assaults carried out by BladedFeline.
- The authentic assault exercise focusing on the KRG group allowed us to determine successive malware, as BladedFeline has tried to keep up and increase entry to the group.
- Further evaluation of the assaults led us to determine the telecommunications sufferer in Uzbekistan.
- At the identical time, trying into the Whisper backdoor helped us determine the GOI sufferer.
We assess that BladedFeline is focusing on the KRG and the GOI for cyberespionage functions, with a watch towards sustaining strategic entry to high-ranking officers in each governmental entities. The KRG’s diplomatic relationship with Western nations, coupled with the oil reserves within the Kurdistan area, makes it an attractive goal for Iran-aligned menace actors to spy on and probably manipulate. In Iraq, these menace actors are likely attempting to counter the affect of Western governments following the US invasion and occupation of the nation.
We imagine with medium confidence that BladedFeline is a subgroup of OilRig:
- As does OilRig, BladedFeline targets organizations within the Middle East with the aim of cyberespionage.
- We have discovered OilRig instruments (VideoSRV and RDAT) in a compromised KRG system.
- BladedFeline’s malicious IIS module PrimeCache shares code similarities with OilRig’s RDAT.
BladedFeline isn’t the one subgroup of OilRig that we’re monitoring: we now have already been monitoring Lyceum, also called HEXANE or Storm-0133, as one other OilRig subgroup. Lyceum focuses on focusing on numerous Israeli organizations, together with governmental and native governmental entities and organizations in healthcare. Major instruments we attribute to Lyceum embrace DanBot, the Shark, Milan, and Marlin backdoors, Solar and Mango, OilForceGTX, and a number of downloaders utilizing reputable cloud companies for C&C communication.
We will proceed to make use of the identify OilRig to consult with the mother or father group, also called APT34 or Hazel Sandstorm (previously EUROPIUM). OilRig is a cyberespionage group that has been energetic since at the least 2014 and is usually believed to be based mostly in Iran. The group targets Middle Eastern governments and a wide range of enterprise verticals, together with chemical, vitality, finance, and telecommunications. Notable OilRig campaigns embrace the 2018 and 2019 DNSpionage marketing campaign, focusing on victims in Lebanon and the United Arab Emirates; the 2019–2020 HardPass marketing campaign, utilizing LinkedIn to focus on Middle Eastern victims within the vitality and authorities sectors; the 2020 assault towards a telecommunications group within the Middle East utilizing the RDAT backdoor; and the 2023 assaults focusing on organizations within the Middle East with the EnergyExchange and MrPerfectionManager backdoors.
OilRig instruments utilized by BladedFeline
We have discovered two OilRig instruments on the KRG machines compromised by BladedFeline.
RDAT
We found a beforehand unreported model of the OilRig backdoor RDAT on two KRG sufferer programs. Analyzing RDAT, we discovered that the operational stream (see Unit 42’s report for specifics), compilation timestamp (2017-12-26 10:49:35), and file write time (2018-01-30) align with OilRig exercise and focusing on, notably with regard to the group’s 2017 exercise. We noticed a file with an SHA-1 of 562E1678EC8FDC1D83A3F73EB511A6DDA08F3B3D and a path of C:WindowsSystem32LogonUl.exe on each programs. The PDB path additionally corroborates that this binary is RDAT: C:UsersVoidDesktopRDATclientx64Releaseclient.pdb. To date, we now have solely ever noticed RDAT in use by OilRig. Moreover, we now have not seen any customized implant sharing between OilRig and different Middle Eastern teams, and it seldom happens between Iran-aligned menace actors.
Further bolstering the case that BladedFeline is an OilRig subgroup, as with Lyceum, is the evaluation linking RDAT with PrimeCache, a malicious IIS module that was uploaded to VirusTotal presumably by the GOI sufferer. This hyperlink is explored in additional depth within the Links with OilRig part of the blogpost.
VideoSRV
One further knowledge level on the OilRig and BladedFeline connection is a reverse shell deployed to one of many KRG victims (September 21st, 2017) previous to RDAT getting dropped on the identical system (January 30th, 2018). VideoSRV (SHA-1: BE0AD25B7B48347984908175404996531CFD74B7), so named for its filename videosrv.exe, has the PDB string C:Usersv0idDesktopreverseShellclientProxyx64ReleaseConsoleApplication1.pdb, which bears some similarities to the RDAT PDB string C:UsersVoidDesktopRDATclientx64Releaseclient.pdb.
Technical evaluation
Initial entry
It continues to be unclear how BladedFeline is creating entry to its victims. What we all know is that within the case of the KRG victims, the menace actors obtained entry at the least way back to 2017 and have maintained it ever since. As for the GOI victims, we suspect that the group exploited a vulnerability in an utility on an internet-facing internet server, which allowed them to deploy the Flog webshell.
Toolset
PrimeCache – malicious IIS module
PrimeCache, whose identify we derived from the RTTI AVRSAPrimeSelector and its filename (cachehttp.dll), is a passive backdoor applied as a local IIS module with an inner identify of HttpModule.dll. It was uploaded to VirusTotal by the identical consumer who uploaded one of many Whisper backdoor samples. It is a 64-bit C++ DLL with a compilation timestamp of 2023-05-14 06:55:52 and has a minimized PDB string of simply HttpModule.pdb. It has a single export: RegisterModule.
PrimeCache is a successor to a set of unattributed IIS backdoors that we now have beforehand reported as Group 2 (easy IIS backdoors) in our 2021 blogpost, Anatomy of native IIS malware. We obtained these authentic samples from VirusTotal the place they have been uploaded by customers from Bahrain, Israel, and Pakistan, between 2018 and 2020. Based solely on the placement of the presumed victims, it’s attainable that these instances have been additionally associated to BladedFeline – or, extra broadly, OilRig – actions.
Main performance
PrimeCache’s important performance is applied within the CGlobalModule::OnGlobalPreBeginRequest handler. This is a novel implementation, differing from its predecessors, which used the CHttpModule::OnBeginRequest handler. PrimeCache filters incoming HTTP requests, solely processing these from the BladedFeline operators, that are acknowledged by having a cookie header with the construction:
F=
Note that this worth may be standalone or embedded into an extended cookie, surrounded by semicolon (;) characters.
The backdoor works in an uncommon method (new with this model as in contrast with our 2021 evaluation). Rather than accepting a backdoor command and all its parameters inside a single HTTP request, every motion is break up into a number of requests. First, the BladedFeline operator sends a person request for every single parameter; these parameters are saved in a world construction. Then the operator sends one other request to set off the backdoor command. Finally, PrimeCache makes use of the beforehand acquired parameters to execute the desired motion, after which clears the cached parameters.
Operator instructions
There are three sorts of requests that may be acquired by the backdoor, as proven in Table 1.
Table 1. PrimeCache operator instructions
| Parameter | Description | |
| 1 | Format: |
Clears the listing of beforehand saved parameters and provides the brand new worth. Most parameters are encrypted; see Encryption beneath. |
| 0 | Not used. | Triggers the backdoor motion, utilizing beforehand transmitted backdoor parameters. |
| Other | Format: |
Adds the desired worth to the listing of saved parameters (doesn’t clear the listing). Most parameters are encrypted; see Encryption beneath. |
Once the motion is triggered (by way of
The PrimeCache motion is operator command (OpCom) a, the session secret is OpCom ok, binary knowledge is OpCom b, and the filename is OpCom f.
Table 2. PrimeCache post-operator command actions
| PrimeCache motion | Session key | Binary knowledge | Filename | Command description | Return worth |
| r | RSA-encrypted session key | AES-encrypted command line | Null | Runs the desired command by way of popen. | Command output |
| r2 | Runs the desired command by way of CreateProcessW. | ||||
| r3 | (Presumably) runs the desired command by sending it to a different (unknown) course of by way of the named pipe .pipeiis, then reads (presumably) the command output from the identical pipe. | ||||
| u | AES-encrypted file content material | Local filename | Creates a neighborhood file with the desired identify and content material. | OK | |
| d | Null | Exfiltrates the given file from the compromised IIS server. | File content material |
Encryption
Similar to its predecessors, PrimeCache makes use of each RSA and AES-CBC for its C&C communication. The parameters and the return values are at all times AES-CBC encrypted utilizing the session key, then base64 encoded. The session secret is RSA encrypted; the backdoor has a hardcoded personal and public RSA key (not a pair) to deal with each instructions of the communication.
A statically linked Crypto++ library is used to deal with the encryption and decryption operations.
C&C communications
Operator instructions are transmitted within the cookie header (one other deviation from earlier variations, which used the URL or the HTTP request physique). PrimeCache responses are added to the HTTP response physique. If a file is being exfiltrated, the Content-Type header is ready to attachment, matching the performance of the earlier variations.
The PrimeCache predecessors additionally used the identical encryption scheme, and comparable parameter names (a, c, f, ok), however all have been despatched to the backdoor in a single request. The solely supported instructions have been r, u, and d.
Links with OilRig
When we examine PrimeCache with RDAT, as described within the RDAT attribution subsection, we see a number of similarities that assist our supposition that BladedFeline is a subgroup of OilRig.
- Both RDAT and PrimeCache use the Crypto++ library, and each parse the backdoor instructions utilizing the common expression [^,]+.
- The payload makes an attempt to parse the decrypted cleartext utilizing the common expression [^,]+ to get the command worth and the command arguments which are break up with a comma.
- Both share a perform, proven in Figure 1, that executes a shell command and reads the output, which, throughout our corpus, is discovered solely in these two items of malware.
Whisper backdoor
Whisper is a 32-bit Windows binary written in C#/.NET, named after its PDB strings G:csharpWhisper_Trojan_winformWhisper_Trojan_winformWhisper_Trojan_winformobjReleaseVeaty.pdb and Z:csharpWhisper_Trojan_winform_for_releaseWhisper_Trojan_winformWhisper_Trojan_winformobjReleaseVeaty.pdb. It makes use of a Microsoft Exchange server to speak with the attackers by sending e-mail attachments by way of a compromised webmail account. We have seen two variations of the backdoor: we detected and picked up one model, and was uploaded to VirusTotal from Iraq. These samples are nearly equivalent, however we have been in a position to decide the probably identification of the VirusTotal uploader based mostly on knowledge within the Whisper pattern and different samples uploaded by that consumer.
Both these variations of Whisper have timestomped compilation timestamps (2090-04-11 23:38:14 and 2080-12-11 03:50:47). They are constructed utilizing Costura, presumably to make sure that the sufferer’s system makes use of the DLLs packaged with the binary and never DLLs within the Global Assembly Cache.
Whisper’s operation isn’t the primary time we now have noticed an OilRig subgroup utilizing cloud companies for its C&C protocol. While, in contrast to with Whisper, there have been no emails truly being despatched, Lyceum used e-mail drafts for communication between its malware and operators all through 2022, as we described in a earlier blogpost.
Operational workflow
Whisper doesn’t require or settle for any arguments. Instead, its dropper – which we dubbed Whisper Protocol after its filename, Protocol.pdf.exe – writes its configuration file to disk alongside it (see the Whisper Protocol part). The config file, proven in Figure 2, is in XML format with its key and worth strings base64 encoded. It known as by the Specs class of Whisper, which makes use of a perform – DelockItems – to base64 decode the config variables.
Figure 3 reveals the operational stream of Whisper, which we element within the following paragraphs.
Whisper’s operational stream may be damaged down into seven steps:
In Step 1, Whisper makes use of the credentials from the config file (line 15 in Figure 2) and the Microsoft Exchange Web Services class ExchangeService to try to log into compromised webmail accounts. Once Whisper efficiently logs into an account, it saves the credentials in reminiscence and writes the next to the log file c:WindowsTempWindowsEventLogs.txt:
———— ItemContext is ready: username [
If no credentials within the config file are legitimate, Whisper logs the next error messages to the log file:
———————————- there was No Way to entry any MailBox.
__________ Extraction perform known as.
If an sudden error is caught, Whisper writes the next to the log file (observe the misspelling of the phrase occurred, indicative of a non-native English speaker) and exits utilizing the Environment.Exit(Int32) methodology. Strangely, the exitCode used, 0, signifies that the method accomplished efficiently.
———————————-__ an unknown Exception happend. program turned off
Next, in Step 2, Whisper makes use of the credentials from the earlier step to examine for inbox guidelines utilizing the ExchangeService.GetInboxRules methodology (which [r]etrieves a set of Inbox guidelines which are related to the desired consumer). Using the worth in line 13 of the configuration file (key=”receive_sign”, worth=”PMO”), Whisper iterates over the inbox guidelines on the lookout for that worth to be laid out in considered one of three locations: topic, physique, or subjectorbody and for emails matching that worth to be despatched to a specified location (deleteditems or inbox, relying on the model of Whisper). If the inbox has such a rule, Whisper goes to the subsequent step; in any other case, Whisper creates a rule with the given parameters:
- Rule identify: MicosoftDefaultRules.
- Move to folder: deleteditems or inbox.
- One model of Whisper specifies the deleteditems folder; the opposite factors to the inbox. Both are hardcoded within the separate binaries.
- Mark as learn: true.
- Condition: topic incorporates PMO.
- The location to search for the string, topic, is hardcoded in each variations of Whisper. The string to search for, PMO, is within the configuration file utilized by Whisper; we have been unable to gather the opposite configuration file.
In Step 3, Whisper initiates a endless do loop that sends a check-in e-mail message from the compromised e-mail account in Step 1 to an e-mail deal with specified within the configuration file (line 16, key=”alive_mail”). The check-in message is shipped each 10 hours (line 10 within the configuration file, key=”al_time”; in minutes), the topic (line 17, key=”alive_msg_subj”) is Content, and the message physique incorporates the string outlined beneath:
“Content ID: “ + base64_encode(“COMPUTERNAME:USERDNSDOMAIN:USERNAME”)
Next, in Step 4, Whisper fetches operator instructions. It does so by looking the inbox recognized in Step 1 for recordsdata in a given folder (deleteditems or inbox, relying on the model of Whisper) with attachments the place the topic matches a string (provided within the configuration file; PMO in the one configuration file we collected). For matching emails with attachments, Whisper scrapes the attachment physique (which ought to include encrypted instructions) and shops the sender’s e-mail deal with to be used later because the C&C server to which operator command outcomes are uploaded.
In Step 5, Whisper decrypts the operator instructions. It does so by first base64 decoding the string containing the command after which decrypting the outcome utilizing the .NET AES class with a 16-byte initialization vector and the encryption key discovered within the configuration file (line 18, key=”enc_key” worth=”cXdlcmFzZHp4Y3ZmZ2d0aGhsZGZvZ2g/bHZtZ2xrZyE=”). Decrypted instructions are within the type of
base64-encoded(
Then, in Step 6, Whisper executes the backdoor instructions and information the outcomes. Possible instructions embrace:
The knowledge written to disk is:
that is my file content material
The bytes to put in writing are base64 encoded (and decoded earlier than writing to disk). Successful execution returns:
file acquired correctly. wrote to:
- Send a file to the C&C server
This command is prefixed with that is my required file path adopted by n
that is my required file
- Execute a EnergyShell script
This command doesn’t have a prefix and as a substitute solely incorporates a plaintext command that EnergyShell is able to executing, postfixed with a pipe after which Whisper appends Out-String. Output is saved on this type:
base64-encoded(
Finally, in Step 7, Whisper sends the command output in an e-mail message to the C&C inbox present in Step 4. The e-mail is formatted with these particulars:
- sending e-mail deal with: inbox from Step 1,
- recipient: e-mail deal with from Step 4,
- topic: Email (from the configuration file, line 14, key=”send_sign”),
- message physique: Hey There! discover your ends in the attachment (hardcoded within the binary), and
- attachment: output from the instructions in Step 6, encrypted with the identical encryption key in Step 5 (configuration file line 18, key=”enc_key” worth=”cXdlcmFzZHp4Y3ZmZ2d0aGhsZGZvZ2g/bHZtZ2xrZyE=”).
Steps 4–7 proceed in a loop utilizing the identical check-in schedule from Step 3 till the credentials hardcoded within the configuration file are modified.
Shahmaran backdoor
The Shahmaran backdoor, named after a legendary half-snake, half-woman creature from Iranian folklore, is a 64-bit PE that was discovered within the startup folder as:
%ROAMINGAPPDATA%MicrosoftWindowsBegin MenuProgramsStartupadobeupdater.exe
At system startup, Shahmaran creates a Windows occasion object, SysPrep. It is feasible that the Shahmaran builders selected SysPrep because the occasion identify to mix into the background noise, as SysPrep is a part of the Windows imaging course of. Windows admins use it to create a normal Windows picture (sometimes called a Gold or Golden picture) earlier than deployment to enterprise programs. Figure 4 reveals the SysPrep occasion object on a compromised system as seen by Sysinternals’ WinObj.
The C&C area is hardcoded, olinpa[.]com, as is the port, 80, and the User-Agent string, of which there are two. The preliminary connection to the C&C makes use of an incomplete User-Agent string (it’s lacking the closing parenthesis):
Mozilla/4.0 (appropriate; MSIE 6.0; Windows NT 5.0
Subsequent communication with the C&C makes use of the corrected User-Agent string:
Mozilla/4.0 (appropriate; MSIE 6.0; Windows NT 5.0)
Shahmaran doesn’t use any compression or encryption for community communications. And whereas the port is hardcoded (80), there are code fragments that examine for the port in use and replace communication variables if port 443 is used.
After checking in with the C&C server, Shahmaran executes any operator instructions offered, returns any output from these instructions, then sleeps for 30 seconds earlier than checking in with the C&C server once more, advert infinitum. Table 3 reveals the out there operator instructions and their features.
Table 3. Operator instructions and their descriptions
| Operator command | Description |
| 1 |
Returns the datetime that the desired file was written to disk in UTC, prepended with id= and within the format YYYY/MM/DD HH:MM:SS. |
| 2 |
Moves the desired file to the desired location. Returns the output of the file transfer operation prepended with id=. |
| 3 |
Deletes the desired file. Returns the output of the file delete operation prepended with id=. |
| 4 |
Creates the desired listing. Returns the output of the listing creation operation prepended with id=. |
| 5 | Creates a log file within the hardcoded location c:programdata~tmp.log, if it doesn’t exist already. If the file already exists, reads the contents and returns them to the C&C server with the file’s timestamp in UTC and within the format YYYY/MM/DD HH:MM:SS, then deletes the file. If the file doesn’t exist, returns the filename and path. If an error happens, returns the error. All returned knowledge is prepended with s=. |
| 6 |
Checks for the desired file. If discovered, writes the offered knowledge to the file and returns s= |
| 7 |
Creates the desired file. Returns s= appended with both the filename (success) or an error code. |
| 8 |
Checks for the presence of the desired filename in a compressed folder within the specified location on disk and creates it if it doesn’t exist. Returns s= appended with the filename and the timestamp in UTC within the format YYYY/MM/DD HH:MM:SS. The timestamp is used to find out whether or not the file was already current or was simply created. |
After executing an operator command, Shahmaran sends the output to the C&C server utilizing the format t=
Slippery Snakelet backdoor
Slippery Snakelet is a small Python-based backdoor with restricted capabilities:
1. executes a command by way of cmd.exe,
2. downloads a file from a URL, and
3. add a file to the /newfile/ URI path.
Slippery Snakelet has a hardcoded C&C server, zaincell[.]retailer, and communicates with it by way of URLs of the shape https://zaincell[.]store/request/
Slippery Snakelet additionally has this hardcoded User-Agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebPackage/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
The C&C server was disguised as an Arabian Gulf E-Learning web site and the default HTML touchdown web page doesn’t include any instructions. When Slippery Snakelet provides a accurately formatted request (e.g., https://zaincell[.]store/request/ tags equivalent to 6wjTyB3Y20KSzU1VUlTagp3aG9hbWkKbnVsbApudWxs into the web page, and Slippery Snakelet collects and decodes these.
Slippery Snakelet base64 decodes all the pieces from the eighth character to the tip of the string (i.e., Y20KSzU1VUlTagp3aG9hbWkKbnVsbApudWxs within the instance above). The decoded output is newline separated and incorporates the 5 gadgets described in Table 4
Table 4. Slippery Snakelet arguments and choices
| Commands | Options | Example |
| Command Type | cm (execute cmd.exe command) getfl (obtain a file) sendfl (add a file) |
cm |
| Command ID | CMID (a random string) | K55UISj |
| Command | FileUrl | FilePath | Respectively for cm | getfl | sendfl | whoami |
| Null | SavePath | FilePath | Respectively for cm | getfl | sendfl | null |
| Null | Unknown | null |
Laret and Pinar – reverse tunnels
Laret and Pinar, whose names are derived from the interior names in every respective file, are 32-bit Windows binaries written in C#/.NET. Both have timestomped PE compilation timestamps – a tactic that’s widespread amongst Middle Eastern (and notably Iran-nexus) menace teams – of 2058-02-07 00:12:48 and 2072-07-10 18:26:15, respectively. Both have been discovered on two programs on the places in Table 5.
Table 5. Locations of Laret and Pinar on disk, together with filenames
| Reverse tunnel | Location |
| Laret | %APPDATA%LocalLEAP DesktopLEAPForm.exe |
| Pinar | C:Program FilesLEAP WorkplaceSystemMain.exe |
| C:Program FilesLEAP Officewinhttpproxy.exe |
In the case the place we wouldn’t have a location on disk for Laret however we do have the filename (wincapsrv.exe), we may see that Laret was downloaded from http://178.209.51[.]61:8000/wincapsrv.exe by way of EnergyShell. Unfortunately, we didn’t handle to find the place it was written to disk. Attempts to enumerate the IP and obtain the file have been rebuffed by the C&C server, probably indicating that some type of compromised host identification is required within the connection setup (which we wouldn’t have).
Regarding writing to disk, BladedFeline operators probably timestomped the file creation date of Pinar to 2017-09-14 14:56:00 on one of many two compromised programs. How the file creation date was timestomped is an open query, nevertheless it reveals that the attackers have compromised these two programs to such an extent that they in all probability have administrative rights.
At runtime, each Laret and Pinar depend on a configuration file in the identical listing as their binaries for eight required variables, that are listed in Table 6.
Table 6. Laret and Pinar configuration parameters with default hardcoded values
| Field | Description | Default worth |
| ssh_host | C&C IP deal with. | N/A |
| ssh_port | 22 | |
| ssh_username | C&C username. | N/A |
| ssh_pass | C&C password. | N/A |
| local_port | 9666 | |
| process_file | File to execute earlier than executing any reverse tunnel actions. | N/A |
| wait_time_minutes | Time to attend between check-ins with the C&C server. | 10f (271) |
| remote_port | Port quantity used for port forwarding. | 1234 |
We have so far not collected the configuration file however have reconstructed its probably content material, present in Figure 5, based mostly on code evaluation. Reading from the configuration file is completed by base64 decoding the encoded string to bytes, which ends up in strings of space-delimited, hexadecimal-encoded character values, which in flip are decoded into ASCII strings.
The BladedFeline builders consult with this as Delocking and the alternative (writing to the configuration file) as Enlocking. This in all probability signifies a passing familiarity with English, however the builders have been removed from proficient. Other examples of weak translation expertise embrace:
- time Alapsed and shopper not linked
- aerpoo after
- Waiting connection …
- error in creaate ssh shopper
Interestingly, at one other level within the reverse tunnels, the builders accurately spelled the phrase elapsed (time elapsed!), which is indicative of poor coding and lax code evaluate, if any is carried out (e.g., there may be lots of command outcome textual content output to the command line, as if the reverse tunnels have been shipped instantly after profitable testing was accomplished).
The precise perform and stream of Laret and Pinar after amassing the parameters from the configuration file is sort of banal, however that’s in all probability an intentional effort to mix in. Both search for a filename within the process_file parameter and, if a file matching the provided identify is current, execute it and begin two threads:
- Sets up an SSH connection to the C&C IP within the configuration file utilizing the Core.Renci.SshNet DLL included inside the binary. Port 22 is hardcoded because the C&C port and port forwarding can also be enabled, utilizing the remote_port variable from the configuration file.
- Sets up a listener on the port specified within the local_port parameter of the configuration file. Note that any knowledge despatched to the listener is completed within the clear (i.e., no encryption or obfuscation is used past further