Insights, news, education and announcements from PolySwarm

Stealth Falcon's Deadglyph Backdoor

Written by The Hivemind | Oct 6, 2023 5:42:37 PM

Verticals Targeted: Government 

Executive Summary

Deadglyph is a backdoor used by the Stealth Falcon threat actor group for espionage operations targeting entities in the Middle East.

Key Takeaways

  • Deadglyph is a backdoor used by the Stealth Falcon threat actor group for espionage operations targeting entities in the Middle East, including at least one government entity.
  • ESET researchers named the backdoor based on artifacts found in the malware, including 0xDEADB001 and the presence of a homoglyph attack mimicking Microsoft Corporation in PE components. 
  • Deadglyph consists of two cooperating components, a native x64 binary and a component written in .NET assembly.
  • Stealth Falcon is a UAE nexus threat actor group known to engage in information theft and espionage.

What is Deadglyph?

ESET recently reported on Deadglyph, a backdoor used by the Stealth Falcon threat actor group for espionage operations targeting entities in the Middle East, including at least one government entity. ESET researchers named the backdoor based on artifacts found in the malware, including 0xDEADB001 and the presence of a homoglyph attack mimicking Microsoft Corporation in PE components.

Deadglyph consists of two cooperating components, a native x64 binary and a component written in .NET assembly. ESET researchers noted this is unusual, as most malware components typically use only one programming language. They noted the use of two different programming languages could be due to the unique features of the distinct languages or as a means to hinder analysis.

The initial component is a registry shellcode loader. The extracted shellcode loads the native x64 parts of the backdoor, referred to as the Executor. The Executor then loads the .NET portion of the backdoor, known as the Orchestrator, and acts as a library for the Orchestrator. The Orchestrator establishes communication with the C2 and executes commands. The only component found on the system’s disk as a file is the initial component, a DLL. Deadglyph’s main components are encrypted using a machine-specific key.

Deadglyph’s backdoor commands are not implemented in the backdoor binary but are dynamically received from the C2 as additional modules. Three of the known modules are the process creator, the file reader, and the info collector.

In the course of their research, ESET also discovered a related shellcode downloader that may be used to install Deadglyph. 

Who is Stealth Falcon?

Stealth Falcon, also known as Project Raven, G0038, and FruityArmor, is a UAE nexus threat actor group known to engage in information theft and espionage. Citizen Lab noted they discovered circumstantial evidence that suggests Stealth Falcon may be associated with the UAE Security Forces.

Stealth Falcon has been active since at least 2012 and is known to target political activists, journalists, and dissidents in the Middle East. Targets have included entities in the Netherlands, Saudi Arabia, Thailand, UAE, and UK. Stealth Falcon TTPs include but are not limited to spearphishing, PowerShell macros, URL shorteners, and social engineering. Stealth Falcon is thought to be a sophisticated threat actor.

IOCs

PolySwarm has a sample associated with Deadglyph.

 

5671b3a89c0e88a9bfb0bd5bc434fa5245578becfdeb284f4796f65eecbd6f15

 

You can use the following CLI command to search for all Deadglyph samples in our portal:

$ polyswarm link list -f Deadglyph

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.