New Stealth Falcon Backdoor Discovered

ESET security researchers have discovered a new backdoor associated with the United Arab Emirates (UAE)-linked Stealth Falcon threat actor. 

Active since 2012, the group is known for targeting of journalists, activists and dissidents, and has been linked to Project Raven, an initiative allegedly employing former NSA operatives. 

Some technical information on Stealth Falcon has been public for several years, including the analysis a PowerShell-based backdoor dropped via a malicious document. 

ESET now says it discovered a previously unreported executable backdoor that has been used in a small number of attacks in UAE, Saudi Arabia, Thailand, and the Netherlands. Dubbed Win32/StealthFalcon, it features similarities with the previously analyzed PowerShell script, linking them to the same actor. 

Win32/StealthFalcon, ESET says, appears to have been created in 2015, to provide attackers with means to control infected systems remotely. 

The malware uses a rather unusual command and control (C&C) communication server, namely the standard Windows component Background Intelligent Transfer Service (BITS), which was designed to transfer large amounts of data without taking up too much network bandwidth.

Commonly used by updaters, messengers, and other background programs, the BITS mechanism is exposed through a COM interface, is more difficult to detect, was designed to be stealthy, and is likely permitted by host-based firewalls.

A DLL file, the backdoor schedules itself as a task running at user login and provides attackers with a series of basic capabilities, including data collection, data exfiltration, app execution, and self-removal. Data prepared for exfiltration is stored encrypted. 

The malware also appears to include an evasion detection trick where a function referencing 300+ imports is executed before any malicious payload is started, although no import is actually used. Instead, the function always returns and runs the payload. 

The newly discovered backdoor shares the same C&C server with the PowerShell-based backdoor previously attributed to the Stealth Falcon group, namely the windowsearchcache[.]com. 

Additionally, ESET observed significant similarities in code between the two, despite the fact that they are written in different languages. Both use hardcoded identifiers used to prefix all network communication from the compromised host. 

“We discovered and analyzed a backdoor with an uncommon technique for C&C communication – using Windows BITS – and some advanced techniques to hinder detection and analysis, and to ensure persistence and complicate forensic analysis. Similarities in the code and infrastructure with a previously known malware by Stealth Falcon drive us to the conclusion that the Win32/StealthFalcon backdoor is also the work of this threat group,” ESET concludes. 

Related: “Stealth Falcon” Threat Group Targets UAE Dissidents

Related: Attacks Use Windows BITS Notifications to Download Malware