Cybersecurity researchers have found a beforehand undocumented superior backdoor dubbed Deadglyph employed by a risk actor often called Stealth Falcon as a part of a cyber espionage marketing campaign.
“Deadglyph’s architecture is unusual as it consists of cooperating components – one a native x64 binary, the other a .NET assembly,” ESET said in a new report shared with The Hacker Information.
“This combination is unusual because malware typically uses only one programming language for its components. This difference might indicate separate development of those two components while also taking advantage of unique features of the distinct programming languages they utilize.”
It is also suspected that using totally different programming languages is a deliberate tactic to hinder evaluation, making it much more difficult to navigate and debug.
Not like different conventional backdoors of its variety, the instructions are obtained from an actor-controlled server within the type of extra modules that enable it to create new processes, learn information, and acquire info from the compromised methods.
Stealth Falcon (aka FruityArmor) was first exposed by the Citizen Lab in 2016, linking it to a set of focused spy ware assaults within the Center East geared toward journalists, activists, and dissidents within the U.A.E. utilizing spear-phishing lures embedding booby-trapped hyperlinks pointing to macro-laced paperwork to ship a customized implant able to executing arbitrary instructions.
A subsequent investigation undertaken by Reuters in 2019 revealed a clandestine operation referred to as Project Raven that concerned a gaggle of former U.S. intelligence operatives who have been recruited by a cybersecurity agency named DarkMatter to spy on targets essential of the Arab monarchy.
Stealth Falcon and Mission Raven are believed to be the identical group based mostly on the overlaps in techniques and concentrating on.
The group has since been linked to the zero-day exploitation of Home windows flaws equivalent to CVE-2018-8611 and CVE-2019-0797with Mandiant noting in April 2020 that the espionage actor “used more zero-days than any other group” from 2016 to 2019.
Across the similar time, ESET detailed the adversary’s use of a backdoor named Win32/StealthFalcon that was discovered to make use of the Home windows Background Clever Switch Service (BITS) for command-and-control (C2) communications and to achieve full management of an endpoint.
Deadglyph is the most recent addition to Stealth Falcon’s arsenal, in response to the Slovak cybersecurity agency, which analyzed an intrusion at an unnamed governmental entity within the Center East.
The precise methodology used to ship the implant is presently unknown, however the preliminary part that prompts its execution is a shellcode loader that extracts and hundreds shellcode from the Home windows Registry, which subsequently launches Deadglyph’s native x64 module, known as the Executor.
The Executor then proceeds with loading a .NET part often called the Orchestrator that, in flip, communicates with the command-and-control (C2) server to await additional directions. The malware additionally engages in a sequence of evasive maneuvers to fly beneath the radar, counting the power to uninstall itself.
The instructions obtained from the server are queued for execution and might fall into one in all three classes: Orchestrator duties, Executor duties, and Add duties.
“Executor tasks offer the ability to manage the backdoor and execute additional modules,” ESET stated. “Orchestrator tasks offer the ability to manage the configuration of the Network and Timer modules, and also to cancel pending tasks.”
AI vs. AI: Harnessing AI Defenses Against AI-Powered Risks
Able to sort out new AI-driven cybersecurity challenges? Be part of our insightful webinar with Zscaler to deal with the rising risk of generative AI in cybersecurity.
A few of the recognized Executor duties comprise course of creation, file entry, and system metadata assortment. The Timer module is used to ballot the C2 server periodically together with the Community module, which implements the C2 communications utilizing HTTPS POST requests.
Add duties, because the title implies, enable the backdoor to add the output of instructions and errors.
ESET stated it additionally recognized a management panel (CPL) file that was uploaded to VirusTotal from Qatar, which is alleged to have functioned as a place to begin for a multi-stage chain that paves the way in which for a shellcode downloader that shares some code resemblances with Deadglyph.
Whereas the character of the shellcode retrieved from the C2 server stays unclear, it has been theorized that the content material might probably function the installer for the Deadglyph malware.
Deadglyph will get its title from artifacts discovered within the backdoor (hexadecimal IDs 0xDEADB001 and 0xDEADB101 for the Timer module and its configuration), coupled with the presence of a homoglyph assault impersonating Microsoft (“Ϻicrоsоft Corpоratiоn”) within the Registry shellcode loader’s VERSIONINFO resource.
“Deadglyph boasts a range of counter-detection mechanisms, including continuous monitoring of system processes and the implementation of randomized network patterns,” the corporate stated. “Furthermore, the backdoor is capable of uninstalling itself to minimize the likelihood of its detection in certain cases.”
Author: data@thehackernews.com (The Hacker Information)
Date: 2023-09-23 07:10:00
