ESET Research discovered Deadglyph, a new backdoor with an unusual architecture.

ESET researchers discovered and analyzed an advanced backdoor called Deadglyph used by the Stealth Falcon group. According to a statement from the US non-profit security organization, the group is linked to the United Arab Emirates. Deadglyph is a unique architecture; as well as the backdoor capability, it’s provided by C&C as well as additional modules. Deadglyph has several antidetection mechanisms and some people can move away so they are able to reduce detection. ESET discovered that the behaviour of leading customers had been monitored in a routine fashion, most of them located in the Middle East. The victim of the investigation is an intelligence agency, which in the Middle East was made redundant by the government. On VirusTotal, a related example was uploaded to Qatar.

This undocumented backdoor has the unique taste of sophistication and expertise. The traditional backdoor commands aren’t implemented in the backdoor binary. They are created dynamically with the C&C server as modules. This backdoor has a lot of capabilities to avoid detection, such as continuous monitoring of system processes and the continuous implementation of random network patterns.

ESET Research managed to access three modules, giving a fraction of the total Deadglyphs capabilities: Process creator, file reader, and information collection. The info collector module collects huge information about the computer, including details about the operation system, the installed software, and the driver’s license, processes, services, and their user, and security software. In addition to that document reading module, it’s possible to read specific files, in one case, the device was used to collect the victims’ Outlook data.

ESET Research has also found a related shellcode downloader that could be used to install Deadglyph.

ESET attributes Deadglyph to the Stealth Falcon APT group with high confidence, based on targeting and evidence. This threat group, also known as Project Raven or FruityArmor, is tied to the United Arab Emirates, according to MITER. A Stealth Falcon, which is active since 2012, is known for its targeting on political activists, journalists and dissidents in the Middle East. Citizen Lab discovered and described it firsthand, which published an investigation in 2016. A group of spyware attacks took place in 2016 and ended up in an attack.

Read the blog post Stealth Falcon preying over Middle Eastern skies with Deadglyph on WeLiveSecurity. Make sure you follow ESET Research Twitter (also called ESET Research).

Victimology of Deadglyph; related example uploaded to VirusTotal from Qatar (smart colour).

ESET

This article was written by one of our partners. Our editors are not responsible for the content.