In the ever-evolving landscape of cyber threats, a new and highly sophisticated backdoor malware, known as 'Deadglyph,' has emerged on the scene. This malware, attributed to the notorious hacking group Stealth Falcon APT (also known as Project Raven or FruityArmor), has recently been deployed in a cyberespionage attack against a government agency in the Middle East. In this blog post, we will delve into the intricate details of Deadglyph, shedding light on its functionality, evasion techniques, and the potential implications of this formidable threat.
Before we dive into the intricacies of Deadglyph, it's crucial to understand the background of the group responsible for its creation. Stealth Falcon APT has a long and notorious history, spanning nearly a decade. This cybercriminal organization has consistently targeted activists, journalists, and dissidents, using a wide array of sophisticated tools and techniques to infiltrate their targets' systems and gather sensitive information.
ESET, a prominent cybersecurity research firm, recently released a report at the LABScon cybersecurity conference, offering valuable insights into Deadglyph's inner workings. While the exact method of initial infection remains unknown, it is suspected that a malicious executable, possibly a program installer, is used to deliver the malware.
Deadglyph's loading chain begins with a registry shellcode loader (DLL) that extracts code from the Windows registry. This loader then initiates the Executor (x64) component, which, in turn, loads the Orchestrator (.NET) component. Notably, only the initial component exists on the compromised system's disk as a DLL file, reducing the likelihood of detection.
To further evade detection, the malware employs a homoglyph attack in the VERSIONINFO resource, using distinct Greek and Cyrillic Unicode characters that mimic Microsoft's information, creating the appearance of a legitimate Windows file.
The Executor component, loaded by the DLL, plays a critical role in Deadglyph's functionality. It loads AES-encrypted configurations for the backdoor, initializes the .NET runtime, and acts as its library. The Orchestrator, on the other hand, is responsible for command and control server (C2) communications, employing 'Timer' and 'Network' modules for this task.
One of Deadglyph's notable features is its self-preservation mechanism. If the backdoor fails to establish communication with the C2 server within a specified timeframe, it triggers a self-removal mechanism. This action is designed to thwart analysis by cybersecurity experts and researchers.
Deadglyph is modular in design, allowing threat actors to download new modules from the C2 server. These modules contain various shellcodes executed by the Executor component, enabling the customization of attacks. With 39 functions in its custom Executor APIs, Deadglyph can perform a range of malicious activities, including file operations, executable loading, Token Impersonation, encryption, and hashing.
While ESET has identified only a fraction of the potential modules, including a process creator, an info collector, and a file reader, the malware's capabilities extend much further.
The info collector, for instance, utilizes WMI queries to gather extensive information about the compromised system, including operating system details, network adapters, installed software, drives, services, drivers, processes, users, environment variables, and even security software.
In conclusion, the emergence of Deadglyph highlights the ever-growing sophistication of cyber threats, particularly in the realm of cyberespionage. The Stealth Falcon APT group continues to pose a significant risk to individuals and organizations, utilizing advanced techniques to achieve their objectives. As cybersecurity professionals and researchers work tirelessly to uncover and mitigate these threats, it is essential to remain vigilant and proactive in safeguarding digital environments against such formidable adversaries.