A recently discovered backdoor malware, known as “Deadglyph,” has been detected in a cyberattack targeting a government agency in the Middle East.
This malicious software has been linked to the activities of the Stealth Falcon APT hackers, also known as Project Raven or FruityArmor, a state-affiliated hacking group based in the United Arab Emirates (UAE).
Stealth Falcon hackers have been targeting activists, journalists and dissidents for nearly a decade.
During the LABScon cybersecurity conference, ESET researcher Filip Jurčacko unveiled a comprehensive analysis of a recently discovered malware and its method of infecting devices running the Windows operating system.
Deadglyph backdoor malware
While ESET currently lacks information regarding the precise initial infection method, there is a suspicion that a malicious executable file, potentially an installer, may be involved.
Conversely, the company has successfully uncovered the majority of components within the infection chain. The sequence of events in the Deadglyph backdoor malware’s loading chain commences with a registry shellcode loader (DLL).
This loader extracts code from the Windows registry to activate the executor (x64) component, subsequently initiating the Orchestrator (.NET) components.
Only the original component exists on the disk of the compromised system, as a DLL file, thus minimizing the possibility of detection.
ESET reports that the loader is designed to retrieve encrypted shellcode from the Windows Registry, a measure taken to increase the complexity of analysis.
Given that the DLL component is stored in the file system, it is more susceptible to detection. Consequently, hackers employed an attack homoglyph technique within the VERSIONINFO resource, utilizing distinct Greek and Cyrillic Unicode characters to imitate Microsoft information and create the illusion of a legitimate Windows file.
“We detected a homoglyph attack impersonating Microsoft Corporation in the VERSIONINFO resource of this and other PE components“, explains ESET.
The Executor component is responsible for loading AES-encrypted configurations for the backdoor, initiating the .NET runtime on the system, and subsequently loading the .NET component of the backdoor, serving as its library.
Ultimately, the Orchestrator assumes responsibility for communicating with the Command and Control (C2) server. In the event that the backdoor is unable to establish contact with the C2 server within a predefined timeframe, it activates a self-removal mechanism to deter security researchers from analyzing it.
The Deadglyph malware deployed by the Stealth Falcon hackers is highly modular, enabling it to fetch new modules from the C2 server. These modules contain diverse shellcodes designed to be executed by the Executor component.
In essence, this modularity grants cybercriminals the ability to craft new modules tailored to their specific attack objectives, which can subsequently be deployed to victims to carry out additional malicious actions. These capabilities encompass a range of activities such as file operations, executable file loading, Token Impersonation access, and encryption and hashing operations.
ESET’s assessment suggests the existence of between nine to fourteen distinct modules; however, a comprehensive analysis of all these modules remains pending.
One of the modules functions as an information collector, supplying the Orchestrator component with the following data about the compromised system:
- Operating system
- Network adapters
- Installed software
- Environmental variables
- Security software
Even though ESET has disclosed only a limited subset of the malware’s functionalities, it is evident that the Deadglyph backdoor malware, employed by the Stealth Falcon hackers in cyber espionage operations, poses a significant and substantial threat.
Regrettably, due to the lack of comprehensive information regarding the initial infection method, providing precise defense strategies against the malware is currently unfeasible. At present, system defenders can depend on the published Indicators of Compromise (IoCs) detailed in the ESET report as their primary resource for protection.
Backdoor malware is highly dangerous, enabling cybercriminals to control systems, steal personal data, or incorporate them into botnets. These attacks are hard to detect and treat. Protecting against them demands a proactive cybersecurity approach, with software updates, robust data protection, and staying vigilant to new cybercriminal tactics.