UAE-Linked ‘Stealth Falcon’ APT Mimics Microsoft in Homoglyph Assault #Imaginations Hub

UAE-Linked ‘Stealth Falcon’ APT Mimics Microsoft in Homoglyph Assault #Imaginations Hub
Image source -

Researchers have lately found a classy backdoor with uncommon structure, dubbed “Deadglyph,” utilized in a cyber-espionage assault within the Center East in opposition to a authorities company. The malware is attributed to the Stealth Falcon superior persistent risk (APT), a United Arab Emirates (UAE) state-sponsored group.

In a routine monitoring of suspicious actions for a few of its Center East high-profile prospects, ESET gleaned particulars on a customized assault that makes use of homoglyphs, mimicking the identify of know-how big Microsoft inside unicode strings. On this case, Cyrillic “M” and Greek “o” alphabet letters the place used rather than the usual Latin characters often utilized in English, within the string “Microsoft Company.”

The APT resides as much as the “stealth” in its identify, too. As an example, the Deadglyph malware doesn’t obtain conventional backdoor instructions from the backdoor binary however as an alternative receives its features dynamically from a command-and-control (C2) server within the type of modules. These use Home windows and customized Executor APIs to allow dozens of capabilities, together with loading executables, file operations, token impersonation, and encryption and hashing. This method signifies that risk actors can create as many modules as wanted with a purpose to customise the assaults.

Along with this, the backdoor employs anti-detection mechanisms equivalent to repeatedly monitoring system processes in addition to implementing randomized community patterns.

Three out of 9 modules have been uncovered — course of creator, file reader, and an data collector — indicating that researchers nonetheless do not know the total breadth of Deadglyph’s capabilities. ESET additionally found a shellcode downloader that may very well be used to put in the malware. 

Prior to now, Stealth Falcon (aka Fruity Armor or Venture Raven) has been identified to focus on political activists, dissidents, and journalists within the Center East. This newest assault occurred someplace within the area of the Anatolian and Arabian peninsulas, in accordance with ESET. The agency additionally famous {that a} second pattern of the malware was uploaded to Virus Whole, from Qatar.

Sustain with the most recent cybersecurity threats, newly-discovered vulnerabilities, knowledge breach data, and rising tendencies. Delivered every day or weekly proper to your e-mail inbox.

Related articles

You may also be interested in