Cybersecurity researchers at ESET have discovered a new, advanced piece of malware targeting government organizations in the Middle East.
The malware is called Deadglyph and is apparently the work of Stealth Falcon APT, a state-sponsored threat actor from the United Arab Emirates (UAE). This group is also known by some researchers as Project Raven, or FruityArmor, BleepingComputer reports, and targets political activists, journalists, dissidents and similar individuals.
In his technical writing, ESET researchers explained that Deadglyph is a modular piece of malware, capable of receiving additional modules from the command & control (C2) server depending on what the operators want to extract from the target endpoint. The modules can use both Windows and custom Executor APIs, meaning the threat actors can use at least a dozen functions. Some of them include loading executables, accessing token impersonation, performing encryption, hashing, and more.
Multiple modules
ESET analyzed three modules: a process creator, an information collector and a file reader. For example, the collector can tell the threat actors what operating system the victim is using, what network adapters the endpoint has, what software and drivers it has installed, and more. The researchers think that there are a maximum of 14 modules available.
There’s no word on potential targets, other than to say the malware was found on a government-owned device. However, previous reports describe Stealth Falcon as a decade-old threat actor (in operation since at least 2012) that targets political activists and journalists – not government employees.
In 2019, ESET analyzed one of StealthFalcon’s campaigns and concluded that the targets, although small in number, were spread across the world: in the UAE, Saudi Arabia, Thailand and the Netherlands. In the latter case, however, the group targeted a diplomatic mission from a Middle Eastern country.
At the moment, there is no information on how the hackers managed to infiltrate the target devices. For now, IT teams can only use published indicators of compromise here.
Through BleepingComputer