Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.
UAE-Linked 'Stealth Falcon' APT Mimics Microsoft in Homoglyph AttackUAE-Linked 'Stealth Falcon' APT Mimics Microsoft in Homoglyph Attack
The cyberattackers are using the "Deadglyph" custom spyware, whose full capabilities have not yet been uncovered.
September 25, 2023
Researchers have recently discovered a sophisticated backdoor with unusual architecture, dubbed "Deadglyph," used in a cyber-espionage attack in the Middle East against a government agency. The malware is attributed to the Stealth Falcon advanced persistent threat (APT), a United Arab Emirates (UAE) state-sponsored group.
In a routine monitoring of suspicious activities for some of its Middle East high-profile customers, ESET gleaned details on a custom attack that uses homoglyphs, mimicking the name of technology giant Microsoft inside unicode strings. In this case, Cyrillic "M" and Greek "o" alphabet letters where used in place of the standard Latin characters usually used in English, in the string "Microsoft Corporation."
The APT is living up to the "stealth" in its name, too. For instance, the Deadglyph malware does not receive traditional backdoor commands from the backdoor binary but instead receives its functions dynamically from a command-and-control (C2) server in the form of modules. These use Windows and custom Executor APIs to enable dozens of capabilities, including loading executables, file operations, token impersonation, and encryption and hashing. This approach means that threat actors can create as many modules as needed in order to customize the attacks.
In addition to this, the backdoor employs anti-detection mechanisms such as continuously monitoring system processes as well as implementing randomized network patterns.
Three out of nine modules have been uncovered — process creator, file reader, and an info collector — indicating that researchers still don't know the full breadth of Deadglyph's capabilities. ESET also discovered a shellcode downloader that could be used to install the malware.
In the past, Stealth Falcon (aka Fruity Armor or Project Raven) has been known to target political activists, dissidents, and journalists in the Middle East. This latest attack occurred somewhere in the region of the Anatolian and Arabian peninsulas, according to ESET. The firm also noted that a second sample of the malware was uploaded to Virus Total, from Qatar.
Read more about:DR Global Middle East & Africa
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023