Hi, what are you looking for?
UAE-linked APT group Stealth Falcon has used the new Deadglyph backdoor in an attack targeting a governmental entity in the Middle East.
By
Flipboard
Reddit
Whatsapp
Whatsapp
Email
The advanced persistent threat (APT) actor Stealth Falcon has been observed deploying a new backdoor on the systems of a governmental entity in the Middle East, for espionage purposes, ESET reports.
The new backdoor, which ESET has named Deadglyph, consists of a native x64 binary that functions as an executor, and a .NET assembly that functions as an orchestrator.
The malware is delivered on the system in the form of a DLL that abuses Windows Management Instrumentation (WMI) event subscription for persistence, and which functions as a registry shellcode loader.
Once executed, the DLL loads, decrypts, and executes encrypted shellcode stored in the Windows registry, which leads to decrypting and running the executor component of Deadglyph.
The component is responsible for loading configurations and initializing the .NET runtime, and loading embedded .NET code (the orchestrator).
Deadglyph’s .NET component establishes command-and-control (C&C) communication and executes commands. It uses a timer and a network module to communicate with the C&C server periodically, at random intervals, to prevent detectable patterns.
The C&C server sends commands to the backdoor’s components in the form of tasks. The orchestrator can be tasked to modify network and timer modules’ configurations, while the executor tasks are meant to manage the backdoor and run additional modules.
ESET estimates that the executor can fetch up to fourteen different modules that function as backdoor commands, and which are served as DLLs with one unnamed export.
At execution, the modules are provided with an API resolution function that can resolve Windows APIs and custom Executor APIs – ESET has identified 39 functions related to Executor APIs, including for file operations, encryption and hashing, compression, PE loading, utility, and access token impersonation.
One of the modules is responsible for collecting information about the operating system, network adapters, installed applications, drivers, services, drives, processes, users, security software, and environment variables.
While investigating Deadglyph, ESET discovered a CPL file signed with an expired certificate that was uploaded to VirusTotal from Qatar, which functioned as a multistage shellcode downloader, and which shared code similarities with Stealth Falcon’s backdoor.
Active since at least 2012 and believed to be linked to the United Arab Emirates (UAE) government, Stealth Falcon is known for the targeting of journalists, activists, and dissidents.
Based on similar targeting and attacks, Amnesty International in 2019 concluded that Stealth Falcon is the same group as Project Raven, an initiative allegedly composed of former NSA operatives.
Related: New Stealth Falcon Backdoor Discovered
Related: “Stealth Falcon” Threat Group Targets UAE Dissidents
Related: UAE Denies Developing Popular Mideast App as Spy Tool
Ionut Arghire is an international correspondent for SecurityWeek.
Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.
Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.
Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.
Offensive Security does not focus on discreet attacks, singular actors, or Indicators of compromise, but understands the entirety of both sides of the battlefield. (Tom Eston)
AI can truly disrupt all elements of the SOC and provide an analyst with 10x more data and save 10x more time than what currently exists. (Matt Honea)
There has been an ongoing debate in the security industry over the last decade or so about whether or not deep packet inspection (DPI) is dead. (Matt Wilson)
One of the main reasons why ZTNA fails is that most ZTNA implementations tend to focus entirely on securing remote access. (Etay Maor)
There are key steps every organization should take to leverage threat and event data across the lifecycle of a cyber incident. (Marc Solomon)
Flipboard
Reddit
Whatsapp
Whatsapp
Email
The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.
A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...
WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...
Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.
Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.
The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...
Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet
On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.
Got a confidential news tip? We want to hear from you.
Reach a large audience of enterprise cybersecurity professionals
Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox.
Copyright © 2023 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.