A powerful new malware backdoor is targeting governments across the world
StealthFalcon is back with brand new modular malware.
Cybersecurity researchers from ESET have discovered a new, sophisticated piece of malware targeting government organizations in the Middle East.
The malware is dubbed Deadglyph, and apparently is the work of Stealth Falcon APT, a state-sponsored threat actor allegedly from the United Arab Emirates (UAE). This group is also known among some researchers as Project Raven, or FruityArmor, BleepingComputer reports, and targets political activists, journalists, dissidents, and similar individuals.
In its technical writeup, ESET’s researchers explained that Deadglyph is a modular piece of malware, capable of receiving additional modules from its command & control (C2) server, depending on what the operators look to grab from the target endpoint. The modules can use both Windows and custom Executor APIs, meaning the threat actors can use at least a dozen functions. Some of them include loading executable files, accessing Token Impersonation, running encryption, hashing, and more.
Multiple modules
ESET analyzed three modules - a process creator, an information collector, and a file reader. The collector, for example, can tell the threat actors which operating system the victim is using, which network adapters the endpoint has, which software and drivers it has installed, and more. The researchers believe up to 14 modules are available.
There is no word on potential targets, other than the malware was found on a device belonging to a government firm. Earlier reports, however, describe Stealth Falcon as a decade-old threat actor (in operation since at least 2012) that targets political activists and journalists - not government employees.
In 2019, ESET analyzed one of StealthFalcon’s campaigns, concluding that the targets, although small in number, were scattered around the world - in UAE, Saudi Arabia, Thailand, and the Netherlands. In the latter, though, the group targeted a diplomatic mission of a Middle Eastern country.
At the moment there is no information on how the hackers managed to infiltrate the target devices. For now, IT teams can only use indicators of compromise published here.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Via BleepingComputer
More from TechRadar Pro
- Top data breaches and cyber attacks of 2022
- Here's a list of the best malware removal services
- These are the best privacy tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.