Stealth Falcon APT (aka Project Raven or FruityArmor), a state-sponsored hacking group from the United Arab Emirates (UAE), is mainly known for targeting activists, journalists, and dissidents in the Middle East.

image

Cybersecurity researchers from ESET have discovered a previously undocumented advanced backdoor called Deadglyph, which is employed by the threat actor for cyber espionage campaigns against a government agency in the Middle East.

Deadglyph’s architecture is unusual as it consists of cooperating components – one a native x64 binary and the other a .NET assembly.

image

This unique combination is believed to be a deliberate strategy to obfuscate and complicate analysis. The backdoor employs multiple evasion techniques to avoid detection, including a homoglyph attack impersonating Microsoft in the Registry shellcode loader’s VERSIONINFO resource.

image

The malware is modular, allowing the threat actors to create new modules as needed to tailor attacks and perform additional malicious functionality. Traditional backdoor commands are implemented via dynamically loaded .NET assemblies, further complicating analysis.

MITRE ATT&CK techniques

Tactic ID Name Description
Resource Development T1583.001 Acquire Infrastructure: Domains Stealth Falcon has registered domains for C&C servers and to obtain a code-signing certificate.
  T1583.003 Acquire Infrastructure: Virtual Private Server Stealth Falcon has used VPS hosting providers for C&C servers.
  T1587.001 Develop Capabilities: Malware Stealth Falcon has developed custom malware, including custom loaders and the Deadglyph backdoor.
  T1588.003 Obtain Capabilities: Code Signing Certificates Stealth Falcon has obtained a code-signing certificate.
Execution T1047 Windows Management Instrumentation Deadglyph uses WMI to execute its loading chain.
  T1059.003 Command and Scripting Interpreter: Windows Command Shell Shellcode downloader uses cmd.exe to delete itself.
  T1106 Native API A Deadglyph module uses CreateProcessW and CreateProcessAsUserW API functions for execution.
  T1204.002 User Execution: Malicious File The shellcode downloader chain requires the user to double-click and execute it.
Persistence T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription The initial Deadglyph loader is persisted using WMI event subscription.
Defense Evasion T1027 Obfuscated Files or Information Deadglyph components are encrypted. Deadglyph Orchestrator and embedded modules are obfuscated with .NET Reactor. The shellcode downloader is obfuscated with ConfuserEx.
  T1070.004 Indicator Removal: File Deletion Deadglyph can uninstall itself. The shellcode downloader chain deletes itself and deletes files in the WebDAV cache.
  T1112 Modify Registry Deadglyph stores its configuration and encrypted payload in the registry.
  T1134 Access Token Manipulation Deadglyph can impersonate another user.
  T1140 Deobfuscate/Decode Files or Information Deadglyph decrypts encrypted strings. The shellcode downloader chain decrypts its components and configurations.
  T1218.011 System Binary Proxy Execution: Rundll32 The initial Deadglyph loader is executed using rundll32.exe.
  T1480.001 Execution Guardrails: Environmental Keying Deadglyph is encrypted using a machine-specific key derived from the system UUID.
  T1562.001 Impair Defenses: Disable or Modify Tools The shellcode downloader avoids AMSI scanning by patching clr.dll in memory .
  T1620 Reflective Code Loading Deadglyph reflectively loads its modules using a custom PE loader.
Discovery T1007 System Service Discovery A Deadglyph module discovers services using the WMI query SELECT * FROM Win32_Service.
  T1012 Query Registry The shellcode downloader chain queries the registry for the default browser.
  T1016 System Network Configuration Discovery A Deadglyph module discovers network adapters using WMI queries SELECT * FROM Win32_NetworkAdapter and SELECT * FROM Win32_NetworkAdapterConfiguration where InterfaceIndex=%d.
  T1033 System Owner/User Discovery A Deadglyph module discovers users with the WMI query SELECT * FROM Win32_UserAccount.
  T1057 Process Discovery A Deadglyph module discovers processes using WMI query SELECT * FROM Win32_Process.
  T1082 System Information Discovery A Deadglyph module discovers system information such as OS version, drives, environment variables, and drivers using WMI queries.
  T1518 Software Discovery A Deadglyph module discovers installed software using WMI query SELECT * FROM Win32_Product.
  T1518.001 Software Discovery: Security Software Discovery A Deadglyph module discovers security software using WMI queries SELECT * FROM AntiVirusProduct, SELECT * FROM AntiSpywareProduct and SELECT * FROM FirewallProduct. The shellcode downloader chain checks running processes for a security solution.
Collection T1005 Data from Local System Deadglyph has a module for reading files.
Command and Control T1071.001 Application Layer Protocol: Web Protocols Deadglyph and the shellcode downloader communicate with the C&C server via the HTTP protocol.
  T1090 Proxy Deadglyph and the shellcode downloader can use HTTP proxy for C&C communication.
  T1573.001 Encrypted Channel: Symmetric Cryptography Deadglyph uses AES to encrypt C&C communications.
Exfiltration T1041 Exfiltration Over C2 Channel Deadglyph uses the C&C channel for exfiltration.

Indicators of Compromise

SHA1/Domain/IP
C40F1F46D230A85F702DAA38CFA18D60481EA6C2
740D308565E215EB9B235CC5B720142428F540DB
1805568D8362A379AF09FD70D3406C6B654F189F
9CB373B2643C2B7F93862D2682A0D2150C7AEC7E
F47CB40F6C2B303308D9D705F8CAD707B9C39FA5
3D4D9C9F2A5ACEFF9E45538F5EBE723ACAF83E32
3D2ACCEA98DBDF95F0543B7C1E8A055020E74960
4E3018E4FD27587BD1C566930AE24442769D16F0
7F728D490ED6EA64A7644049914A7F2A0E563969
chessandlinkss[.]com
easymathpath[.]com
joinushealth[.]com
135.125.78[.]187
45.14.227[.]55
185.25.50[.]60