UAE-Linked 'Stealth Falcon' APT Mimics Microsoft in Homoglyph Attack

Researchers have recently discovered a sophisticated backdoor with unusual architecture, dubbed "Deadglyph," used in a cyber-espionage attack in the Middle East against a government agency. The malware is attributed to the Stealth Falcon advanced persistent threat (APT), a United Arab Emirates (UAE) state-sponsored group.

In a routine monitoring of suspicious activities for some of its Middle East high-profile customers, ESET gleaned details on a custom attack that uses homoglyphs, mimicking the name of technology giant Microsoft inside unicode strings. In this case, Cyrillic "M" and Greek "o" alphabet letters where used in place of the standard Latin characters usually used in English, in the string "Microsoft Corporation."

The APT is living up to the "stealth" in its name, too. For instance, the Deadglyph malware does not receive traditional backdoor commands from the backdoor binary but instead receives its functions dynamically from a command-and-control (C2) server in the form of modules. These use Windows and custom Executor APIs to enable dozens of capabilities, including loading executables, file operations, token impersonation, and encryption and hashing. This approach means that threat actors can create as many modules as needed in order to customize the attacks.

In addition to this, the backdoor employs anti-detection mechanisms such as continuously monitoring system processes as well as implementing randomized network patterns.

Three out of nine modules have been uncovered — process creator, file reader, and an info collector — indicating that researchers still don't know the full breadth of Deadglyph's capabilities. ESET also discovered a shellcode downloader that could be used to install the malware. 

In the past, Stealth Falcon (aka Fruity Armor or Project Raven) has been known to target political activists, dissidents, and journalists in the Middle East. This latest attack occurred somewhere in the region of the Anatolian and Arabian peninsulas, according to ESET. The firm also noted that a second sample of the malware was uploaded to Virus Total, from Qatar.