UAE-Linked ‘Stealth Falcon’ APT Mimics Microsoft in Homoglyph Assault

Researchers have not too long ago found a sophisticated backdoor with uncommon structure, dubbed “Deadglyph,” utilized in a cyber-espionage assault within the Center East in opposition to a authorities company. The malware is attributed to the Stealth Falcon superior persistent menace (APT), a United Arab Emirates (UAE) state-sponsored group.

In a routine monitoring of suspicious actions for a few of its Center East high-profile prospects, ESET gleaned details on a custom attack that uses homoglyphsmimicking the identify of know-how big Microsoft inside unicode strings. On this case, Cyrillic “M” and Greek “o” alphabet letters the place used instead of the usual Latin characters often utilized in English, within the string “Microsoft Corporation.”

The APT resides as much as the “stealth” in its identify, too. As an illustration, the Deadglyph malware doesn’t obtain conventional backdoor instructions from the backdoor binary however as a substitute receives its features dynamically from a command-and-control (C2) server within the type of modules. These use Home windows and customized Executor APIs to allow dozens of capabilities, together with loading executables, file operations, token impersonation, and encryption and hashing. This strategy signifies that menace actors can create as many modules as wanted with a view to customise the assaults.

Along with this, the backdoor employs anti-detection mechanisms resembling repeatedly monitoring system processes in addition to implementing randomized community patterns.

Three out of 9 modules have been uncovered — course of creator, file reader, and an information collector — indicating that researchers nonetheless do not know the complete breadth of Deadglyph’s capabilities. ESET additionally found a shellcode downloader that may very well be used to put in the malware.

Up to now, Stealth Falcon (aka Fruity Armor or Mission Raven) has been identified to focus on political activists, dissidents, and journalists within the Center East. This newest assault occurred someplace within the area of the Anatolian and Arabian peninsulas, in line with ESET. The agency additionally famous {that a} second pattern of the malware was uploaded to Virus Complete, from Qatar.