Deadglyph Backdoor Targeting Middle Eastern GovernmentBackdoor Is Associated With Stealth Falcon APT Group
Security researchers discovered a novel backdoor targeting a governmental agency in the Middle East for espionage purposes.
See Also: Global Ransomware Threat Report H1 2022
Researchers at Eset attributed the backdoor, dubbed Deadglyph, to the United Arab Emirates' Stealth Falcon threat actor.
Stealth Falcon has targeted Middle Eastern journalists, activists and dissidents since at least 2012.
Deadglyph is unique because it's made up of different parts written in different programming languages: native x64 binary and a .NET assembly. This suggests that it may have been developed separately by different groups of attackers.
Deadglyph's commands are not built into the main program. Instead, it obtains instructions from a server controlled by the attackers, which makes it harder to detect.
Researchers did not determine the precise method of the initial compromise vector, but an installer component is likely used to deploy Deadglyph.
Deadglyph's main components are the "Executor," which loads a native part of the malware, and the "Orchestrator," which handles communication with the attackers. These parts work together to carry out the attacker's commands.
The backdoor also comes with an exit plan. If it fails to communicate with the attackers' server for a predefined duration, it can uninstall itself to avoid drawing attention to the compromised system.
Deadglyph is designed to avoid detection by continuously monitoring what the computer is doing and by using random patterns for its network communications.
Eset researchers obtained three modules from the attacker server, and they estimate there are nine to 14 modules in total. These modules are like commands that the malware can execute on the infected computer.
The three modules are:
- Process creator: It executes the specified command line as a new process and provides the resulting output back to the Orchestrator.
- Info collector: This module collects information about the computer via Windows Management Instrumentation queries and passes it back to the Orchestrator. The information collected includes details such as the operating system, network adapters, installed software, drives, services, drivers, processes, users, environment variables and security software.
- File reader: This module helps to read the specified file and passes the content back to the Orchestrator. It can also delete the file after reading. This modules was observed retrieving the victim's Outlook data file.