Deadglyph Backdoor
Cybersecurity analysts recently uncovered an advanced backdoor known as "Deadglyph," which had not been previously documented. This sophisticated malware was employed by a threat actor named "Stealth Falcon" as part of their cyber espionage campaign.
What sets Deadglyph apart is its unconventional architecture, consisting of two cooperating components. One is a native x64 binary, while the other is a .NET assembly. This departure from the norm is noteworthy because most malware typically relies on a single programming language for its components. The adoption of this dual-language approach suggests the possibility of separate development efforts for these two components, capitalizing on the unique capabilities of each programming language.
Furthermore, it is suspected that the deliberate use of different programming languages serves as a strategic tactic to impede analysis efforts. This makes it considerably more challenging for security researchers to navigate and debug the malware, including one more layer of complexity to its detection and mitigation.
Table of Contents
Deadglyph Backdoor Displays Unusual Characteristics
Deadglyph represents the latest addition to Stealth Falcon's arsenal, wielded in an undisclosed governmental entity in the Middle East. Setting it apart from conventional backdoors, this threatening tool receives commands from a server controlled by the threat actor. These commands arrive in the form of supplementary modules, granting Deadglyph the capability to initiate new processes, access files, and harvest data from compromised systems.
The exact method of implant delivery remains a mystery. However, the initial trigger for its execution is a shellcode loader that retrieves and loads shellcode from the Windows Registry. This, in turn, initiates the execution of Deadglyph's native x64 component, known as the "Executor."
A Deadglyph Infection can Have Disastrous Consequences for Victims
The Executor, once activated, proceeds to load a .NET component called the "Orchestrator." The Orchestrator establishes communication with the Command-and-Control (C2) server, awaiting further directives. This malware also employs a series of evasion tactics to stay below the radar, even possessing the ability to self-uninstall. Commands received from the server are queued for execution, falling into three distinct categories: Orchestrator tasks, Executor tasks and Upload tasks.
Executor tasks grant control over the backdoor's management and the execution of additional modules. Orchestrator tasks, on the other hand, manage the configuration of the Network and Timer modules and can cancel pending tasks.
Several Executor tasks have been identified, including the creation of processes, file access, and the collection of system metadata. The Timer module periodically contacts the C2 server in conjunction with the Network module, facilitating C2 communication via HTTPS POST requests. Upload tasks, as their name implies, enable the backdoor to transmit the results of commands and any encountered errors.
Deadglyph boasts an array of anti-detection mechanisms, including continuous monitoring of system processes and the implementation of randomized network patterns. Furthermore, it possesses the capability to self-uninstall in certain scenarios to reduce the likelihood of detection.
The Stealth Falcon Cybercrime Group Has Been Operating for Close to a Decade
The Stealth Falcon, also known as FruityArmor, initially came to public attention in 2016 when researchers uncovered its involvement in targeted spyware attacks within the Middle East. These attacks were directed at journalists, activists, and dissidents in the United Arab Emirates (U.A.E.). The threat actors employed spear-phishing tactics, enticing victims with deceptive links embedded in emails that led to macro-laden documents. These documents served as delivery mechanisms for a custom implant capable of executing arbitrary commands.
A subsequent investigation in 2019 unveiled a covert operation named Project Raven, which featured a group of former U.S. intelligence professionals recruited by a cybersecurity firm called DarkMatter. Their mission was to conduct surveillance on individuals critical of the Arab monarchy. Remarkably, Stealth Falcon and Project Raven appear to be one and the same, as evidenced by their shared tactics and targets.
Over time, this group has been linked to the exploitation of zero-day vulnerabilities in Windows, including CVE-2018-8611 and CVE-2019-0797. Information security researchers have noted that, between 2016 and 2019, this espionage group made more extensive use of zero-day vulnerabilities than any other entity.
Around this same period, the adversary was observed utilizing a backdoor known as Win32/StealthFalcon. This threat leveraged the Windows Background Intelligent Transfer Service (BITS) for Command-and-Control (C2) communications, granting the attackers complete control over compromised endpoints.
