Researchers Spot Novel “Deadglyph” Backdoor

Security researchers have revealed a sophisticated new modular backdoor which they believe is the work of the United Arab Emirates’ Stealth Falcon group.

The malware was dubbed “Deadglyph” by ESET after the name of artifacts found in the backdoor, plus the presence of a homoglyph attack, where lookalike characters are used to spoof a URL or code.

ESET said it found the sample after investigating a cyber-espionage attack on a government client in the Middle East.

Although the vendor was only able to retrieve three of the backdoor’s modules – covering a process creator, file reader and info collector – it claimed to have seen enough to know the malware is highly sophisticated.

Read more on Stealth Falcon: Reports: US Hackers Aid UAE to Spy on the Media

Commands are dynamically received via the command-and-control (C2) server as new modules rather than being implemented in the backdoor binary, it said.

There are also multiple anti-detection capabilities including continuous monitoring of system processes and execution of randomized network patterns. The malware also tries to hide in plain sight, using homoglyph techniques to masquerade as a legitimate Windows file: VersionInfo.

In addition, the backdoor will self-remove if it fails to establish a connection to the C2 server after a certain period.

The info collector module collects a wide range of information about a victim’s computer, including details on the OS, installed software and drivers, processes, services, users and security software. A file reader module reads specific files such as those containing Outlook data.

The ESET team also found a shellcode downloader which it believes could be used to install Deadglyph.

Also known as Project Raven, Stealth Falcon has been active since at least 2012 and has been known to target political activists, journalists and dissidents in the Middle East.