The advanced persistent threat (APT) actor Stealth Falcon has been observed deploying a new backdoor on the systems of a governmental entity in the Middle East, for espionage purposes, ESET reports.
The new backdoor, which ESET has named Deadglyph, consists of a native x64 binary that functions as an executor, and a .NET assembly that functions as an orchestrator.
The malware is delivered on the system in the form of a DLL that abuses Windows Management Instrumentation (WMI) event subscription for persistence, and which functions as a registry shellcode loader.
Once executed, the DLL loads, decrypts, and executes encrypted shellcode stored in the Windows registry, which leads to decrypting and running the executor component of Deadglyph.
The component is responsible for loading configurations and initializing the .NET runtime, and loading embedded .NET code (the orchestrator).
Deadglyph’s .NET component establishes command-and-control (C&C) communication and executes commands. It uses a timer and a network module to communicate with the C&C server periodically, at random intervals, to prevent detectable patterns.
The C&C server sends commands to the backdoor’s components in the form of tasks. The orchestrator can be tasked to modify network and timer modules’ configurations, while the executor tasks are meant to manage the backdoor and run additional modules.
ESET estimates that the executor can fetch up to fourteen different modules that function as backdoor commands, and which are served as DLLs with one unnamed export.
At execution, the modules are provided with an API resolution function that can resolve Windows APIs and custom Executor APIs – ESET has identified 39 functions related to Executor APIs, including for file operations, encryption and hashing, compression, PE loading, utility, and access token impersonation.
One of the modules is responsible for collecting information about the operating system, network adapters, installed applications, drivers, services, drives, processes, users, security software, and environment variables.
While investigating Deadglyph, ESET discovered a CPL file signed with an expired certificate that was uploaded to VirusTotal from Qatar, which functioned as a multistage shellcode downloader, and which shared code similarities with Stealth Falcon’s backdoor.
Active since at least 2012 and believed to be linked to the United Arab Emirates (UAE) government, Stealth Falcon is known for the targeting of journalists, activists, and dissidents.
Based on similar targeting and attacks, Amnesty International in 2019 concluded that Stealth Falcon is the same group as Project Raven, an initiative allegedly composed of former NSA operatives.