A recent cyber-espionage attack in the Middle East has uncovered a sophisticated backdoor called “Deadglyph,” which is attributed to the Stealth Falcon advanced persistent threat (APT), a state-sponsored group based in the United Arab Emirates (UAE). Researchers at ESET, a leading cybersecurity company, detected this unusual malware while monitoring suspicious activities for high-profile customers in the region.
One of the standout features of Deadglyph is its unusual architecture. The malware uses homoglyphs, which are characters that resemble certain letters but are actually different. In this case, the attackers used Cyrillic “M” and Greek “o” alphabet letters to mimic the name of technology giant Microsoft, replacing the standard Latin characters usually used in English. By using these homoglyphs, the attackers hoped to evade detection by security systems and make their malicious activities harder to trace.
The name “Deadglyph” seems fitting for this threat, as it lives up to its “stealth” reputation. Unlike traditional backdoors that receive commands directly from a binary, Deadglyph receives commands dynamically from a command-and-control (C2) server in the form of modules. These modules, using Windows and custom Executor APIs, provide the malware with various capabilities such as loading executables, performing file operations, token impersonation, and encryption and hashing. This modular approach allows the attackers to customize and adapt their attacks as needed.
To further evade detection, Deadglyph employs anti-detection mechanisms. It continuously monitors system processes and implements randomized network patterns, making it harder for security systems to identify and block its activities. Researchers have managed to uncover three out of the nine modules used by Deadglyph, including a process creator, file reader, and an info collector. However, the full extent of the malware’s capabilities is still unknown.
ESET’s investigation revealed that Stealth Falcon, also known as Fruity Armor or Project Raven, has a history of targeting political activists, dissidents, and journalists in the Middle East. This latest attack took place in the region of the Anatolian and Arabian peninsulas. Additionally, ESET discovered that a second sample of the malware was uploaded from Qatar to Virus Total, a popular online malware scanning platform.
The discovery of Deadglyph highlights the evolving nature of cyber-espionage and the sophistication of state-sponsored APT groups. With its unique architecture, use of homoglyphs, and modular approach, Deadglyph demonstrates the group’s ability to adapt and customize their attacks for maximum impact. It also serves as a reminder of the importance of cybersecurity measures and the need for organizations and individuals to stay vigilant against such threats.
As the cybersecurity landscape continues to evolve, it is crucial for businesses and individuals alike to keep up with the latest threats and vulnerabilities. ESET advises staying informed about newly-discovered vulnerabilities, data breaches, and emerging trends in cybersecurity. Being proactive and staying updated with the latest security practices is essential in protecting sensitive data and mitigating the risks associated with cyber-espionage and other malicious activities.