BladedFeline: Whispering in the dark

MITRE Techniques

• [T1595.002] Active Scanning: Vulnerability Scanning – BladedFeline likely performs vulnerability scanning against targets to identify exploitable public-facing applications.
• [T1583.001] Acquire Infrastructure: Domains – The group registers domains for use as command and control servers.
• [T1583.003] Acquire Infrastructure: Virtual Private Server – VPS services are employed to host C2 infrastructure.
• [T1583] Acquire Infrastructure – Use of IP addresses supports network infrastructure for distribution and command and control.
• [T1586.002] Compromise Accounts: Email Accounts – Use of compromised email accounts as part of command and control communication.
• [T1190] Exploit Public-Facing Application – Probable exploitation of vulnerabilities in public-facing applications to gain initial access.
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Execution of commands on endpoints via Windows shell.
• [T1059.007] Command and Scripting Interpreter: JavaScript – Use of JavaScript webshells to remotely execute commands.
• [T1059.001] Command and Scripting Interpreter: PowerShell – Execution of PowerShell commands on compromised systems.
• [T1059.006] Command and Scripting Interpreter: Python – Usage of Python-based droppers for deploying backdoors.
• [T1559] Inter-Process Communication – IPC techniques employed within malicious IIS modules.
• [T1569.002] System Services: Service Execution – Use of Windows services to execute malware such as Whisper and PrimeCache.
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Whisper achieves persistence by creating shortcuts in startup folders.
• [T1546] Event Triggered Execution – PrimeCache loads via IIS Worker Process upon receiving HTTP requests.
• [T1078] Valid Accounts – Use of legitimate credentials to exfiltrate data and maintain stealth.
• [T1140] Deobfuscate/Decode Files or Information – Use of base64 encoding to obfuscate data in Whisper backdoor communications.
• [T1070.004] Indicator Removal: File Deletion – The Whisper Python dropper deletes itself and supporting files after installation.
• [T1070.006] Indicator Removal: Timestomp – Frequent timestomping of malware compilation timestamps to evade detection.
• [T1003.001] OS Credential Dumping: LSASS Memory – Credential dumping via LSASS memory from compromised systems.
• [T1573.001] Encrypted Channel: Symmetric Cryptography – AES encryption used by Whisper for command and control data transfer.
• [T1071.001] Application Layer Protocol: Web Protocols – PrimeCache communicates using standard web protocols.
• [T1132.001] Data Encoding: Standard Encoding – Use of base64 encoding for C2 communications in PrimeCache.
• [T1573.002] Encrypted Channel: Asymmetric Cryptography – Use of RSA and AES-CBC encryption in PrimeCache communications.
• [T1105] Ingress Tool Transfer – PrimeCache can download and execute additional files from C2 servers.
• [T1048.001] Exfiltration Over Alternative Protocol: Symmetric Encrypted Non-C2 Protocol – Whisper uses encrypted email channels for exfiltration.
• [T1041] Exfiltration Over C2 Channel – PrimeCache exfiltrates data via C2 communication channels.