Researchers have lately found a classy backdoor with uncommon structure, dubbed “Deadglyph,” utilized in a cyber-espionage assault within the Center East towards a authorities company. The malware is attributed to the Stealth Falcon superior persistent menace (APT), a United Arab Emirates (UAE) state-sponsored group.
In a routine monitoring of suspicious actions for a few of its Center East high-profile clients, ESET gleaned particulars on a customized assault that makes use of homoglyphs, mimicking the title of expertise large Microsoft inside unicode strings. On this case, Cyrillic “M” and Greek “o” alphabet letters the place used rather than the usual Latin characters often utilized in English, within the string “Microsoft Company.”
The APT resides as much as the “stealth” in its title, too. As an illustration, the Deadglyph malware doesn’t obtain conventional backdoor instructions from the backdoor binary however as a substitute receives its capabilities dynamically from a command-and-control (C2) server within the type of modules. These use Home windows and customized Executor APIs to allow dozens of capabilities, together with loading executables, file operations, token impersonation, and encryption and hashing. This method implies that menace actors can create as many modules as wanted with the intention to customise the assaults.
Along with this, the backdoor employs anti-detection mechanisms resembling constantly monitoring system processes in addition to implementing randomized community patterns.
Three out of 9 modules have been uncovered — course of creator, file reader, and an information collector — indicating that researchers nonetheless do not know the total breadth of Deadglyph’s capabilities. ESET additionally found a shellcode downloader that could possibly be used to put in the malware.
Previously, Stealth Falcon (aka Fruity Armor or Mission Raven) has been identified to focus on political activists, dissidents, and journalists within the Center East. This newest assault occurred someplace within the area of the Anatolian and Arabian peninsulas, in accordance with ESET. The agency additionally famous {that a} second pattern of the malware was uploaded to Virus Complete, from Qatar.
