Middle East Once Again Faces a Sophisticated Cyber Threat
In the realm of cybersecurity, the Middle East has been a hotbed for advanced persistent threats (APTs) for many years. Recently, ESET Research, while conducting routine monitoring of suspicious activities on high-profile customer systems, came across a highly sophisticated and unknown backdoor that they have named Deadglyph. This discovery marks the first public analysis of this previously undocumented backdoor, which is being used by a group known for their high-level skills and expertise – the Stealth Falcon APT group.
Deadglyph stands out due to its unusual architecture, as it consists of two cooperating components. One is a native x64 binary, while the other is a .NET assembly. This combination is unusual because most malware typically uses only one programming language. The use of different programming languages can make analysis and debugging more challenging, which could be a deliberate strategy to hinder detection.
The unique aspect of Deadglyph is that it does not implement traditional backdoor commands in the backdoor binary. Instead, the commands are dynamically received from the command and control server in the form of additional modules. This backdoor also employs various techniques to avoid detection.
ESET Research has conducted a detailed analysis of Deadglyph and its purpose, and found that it is being used for espionage purposes. They also discovered three out of several modules associated with Deadglyph – a process creator, file reader, and info collector. Based on their findings and additional evidence, ESET Research confidently attributes Deadglyph to the well-known Stealth Falcon APT group.
Interestingly, a related shellcode downloader was also found, which ESET Research speculates could potentially be used for the installation of Deadglyph. The victim of this infiltration appears to be a governmental entity in the Middle East. Additionally, a related sample of Deadglyph was uploaded to the file-scanning platform, VirusTotal, from the region of Qatar.
Stealth Falcon, also known as Project Raven or FruityArmor, is a threat group that has been targeting political activists, journalists, and dissidents in the Middle East since 2012. They have been linked to the United Arab Emirates by MITRE. Project Raven, an initiative allegedly employing former NSA operatives, has similar targets and attacks to Stealth Falcon, leading Amnesty International to conclude that they are the same group.
ESET Research has previously published research on a backdoor attributed to Stealth Falcon that used an unusual technique for command and control communication. Now, they have conducted an in-depth analysis of what they believe to be the newest addition to Stealth Falcon’s espionage toolset – the Deadglyph backdoor.
The loading chain of Deadglyph consists of multiple components, starting with a registry shellcode loader, followed by the Executor (the native x64 part), and the Orchestrator (the .NET part). The initial component, a tiny DLL, persists in the system using WMI event subscription and serves as a registry shellcode loader. It decrypts the path to the encrypted shellcode stored in the Windows registry and loads and executes the shellcode. The Executor then loads the Orchestrator, which is responsible for establishing communication with the command and control server and executing commands.
Overall, Deadglyph’s architecture and the techniques employed by the Stealth Falcon APT group indicate a high level of sophistication and expertise. This discovery serves as a reminder that the Middle East continues to be a fertile ground for cyber threats, and organizations in the region need to remain vigilant in their cybersecurity efforts.