Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.
UAE-Linked 'Stealth Falcon' APT Mimics Microsoft in Homoglyph Attack
The cyberattackers are using the "Deadglyph" custom spyware, whose full capabilities have not yet been uncovered.
Researchers have recently discovered a sophisticated backdoor with unusual architecture, dubbed "Deadglyph," used in a cyber-espionage attack in the Middle East against a government agency. The malware is attributed to the Stealth Falcon advanced persistent threat (APT), a United Arab Emirates (UAE) state-sponsored group.
In a routine monitoring of suspicious activities for some of its Middle East high-profile customers, ESET gleaned details on a custom attack that uses homoglyphs, mimicking the name of technology giant Microsoft inside unicode strings. In this case, Cyrillic "M" and Greek "o" alphabet letters where used in place of the standard Latin characters usually used in English, in the string "Microsoft Corporation."
The APT is living up to the "stealth" in its name, too. For instance, the Deadglyph malware does not receive traditional backdoor commands from the backdoor binary but instead receives its functions dynamically from a command-and-control (C2) server in the form of modules. These use Windows and custom Executor APIs to enable dozens of capabilities, including loading executables, file operations, token impersonation, and encryption and hashing. This approach means that threat actors can create as many modules as needed in order to customize the attacks.
In addition to this, the backdoor employs anti-detection mechanisms such as continuously monitoring system processes as well as implementing randomized network patterns.
Three out of nine modules have been uncovered — process creator, file reader, and an info collector — indicating that researchers still don't know the full breadth of Deadglyph's capabilities. ESET also discovered a shellcode downloader that could be used to install the malware.
In the past, Stealth Falcon (aka Fruity Armor or Project Raven) has been known to target political activists, dissidents, and journalists in the Middle East. This latest attack occurred somewhere in the region of the Anatolian and Arabian peninsulas, according to ESET. The firm also noted that a second sample of the malware was uploaded to Virus Total, from Qatar.
Read more about:
DR Global Middle East & AfricaAbout the Author(s)
You May Also Like
Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024Why Effective Asset Management is Critical to Enterprise Cybersecurity
May 21, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024