Deadglyph Backdoor Deployed by Stealth Falcon APT

Cybersecurity experts have unearthed an advanced covert backdoor called Deadglyph, which was previously undiscovered and utilized by the threat actor Stealth Falcon as part of a cyber espionage operation.

In a recent report shared with the cybersecurity platform The Hacker News, security researchers noted that Deadglyph's structure is unconventional due to its collaboration between two components: a native x64 binary and a .NET assembly. This stands out because typical malware relies on a single programming language for its elements. This divergence may suggest separate development efforts for these components while also exploiting unique aspects of the programming languages they employ.

There's also suspicion that the use of distinct programming languages serves as a deliberate tactic to impede analysis, making it considerably more challenging to navigate and debug.

In contrast to other conventional backdoors of its kind, Deadglyph receives commands from a server controlled by the threat actor, delivered in the form of additional modules. These modules enable the backdoor to initiate new processes, access files, and gather data from compromised systems.

Stealth Falcon's Previous Activity

Stealth Falcon, also known as FruityArmor, first came to public attention in 2016 when Citizen Lab connected it to a series of targeted spyware attacks in the Middle East. These attacks targeted journalists, activists, and dissidents in the U.A.E., utilizing spear-phishing tactics involving booby-trapped links within macro-laden documents to deliver a custom implant capable of executing arbitrary commands.

A subsequent investigation by Reuters in 2019 uncovered Project Raven, a covert operation involving former U.S. intelligence personnel who were recruited by the cybersecurity firm DarkMatter to spy on entities critical of the Arab monarchy. There are strong indications that Stealth Falcon and Project Raven are one and the same, given their overlapping tactics and targets.

Since then, the group has been linked to the exploitation of zero-day vulnerabilities in Windows, such as CVE-2018-8611 and CVE-2019-0797. In April 2020, Mandiant reported that this espionage group had "used more zero-days than any other group" from 2016 to 2019.

Around the same timeframe, researchers revealed the group's use of a backdoor called Win32/StealthFalcon, which utilized the Windows Background Intelligent Transfer Service (BITS) for command-and-control (C2) communication and to gain full control over an endpoint.

According to a Slovak cybersecurity firm, Deadglyph is the latest addition to Stealth Falcon's toolkit, discovered during an investigation into an intrusion at an undisclosed governmental entity in the Middle East.

The specific method used to deploy the implant remains unknown, but the initial component responsible for activating its execution is a shellcode loader that extracts and loads shellcode from the Windows Registry. This loader subsequently launches Deadglyph's native x64 module, referred to as the Executor. The Executor then proceeds to load a .NET component known as the Orchestrator, which communicates with the command-and-control (C2) server to await further instructions. The malware also employs various evasive techniques to remain undetected, including the ability to uninstall itself.