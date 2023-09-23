Some cybersecurity researchers have discovery a previously undocumented advanced backdoor called Deadglyph used by a dangerous cybercriminal group known as Stealth Falcon as part of a campaign of cyber espionage.

How Deadglyph is structured

“LDeadglyph’s architecture is unusual in that it is made up of cooperating components: one is a native x64 binary, the other is a .NET assembly“, has said ESET in its own recent reportadding “This combination is unusual because malware usually uses only one programming language for its components. This difference could indicate a separate development of these two components, also taking advantage of the unique characteristics of the distinct programming languages ​​they use.”

It is also suspected that the use of different programming languages ​​is a deliberate tactic to hinder analysis, making it much more difficult to navigate and debug.

Unlike other traditional backdoors of this typecommands are received from a server controlled by the attacker in the form of additional modules that allow it to create new processes, read files and collect information from compromised systems.

Stealth Falcon (aka FruityArmor) is a hacker group that is shown to the “public” for the first time by Citizen Lab in 2016, linking it to a series of targeted spyware attacks in the Middle East targeting journalists, activists and dissidents in the United Arab Emirates, using spear-phishing lures that incorporated links to trap documents macros to deliver a custom implant capable of executing arbitrary commands.

A subsequent investigation by Reuters in 2019 revealed a clandestine operation called ProjectRaven involving a group of former US Secret Service agents recruited by a cybersecurity firm called DarkMatter to spy on critical targets of the Arab monarchy.

Stealth Falcon and Project Raven are believed to be the same group, based on overlaps in tactics and targeting.

The group was later linked to the zero-day exploit of Windows security flaws such as CVE-2018-8611 And CVE-2019-0797with Mandiant making it known that in theApril 2020 that whoever was behind the cyber espionage in question “has used more zero-days than any other group” from 2016 to 2019.

In the same period, ESET has described the adversary’s use of a backdoor called Win32/StealthFalcon, which was found to use the Windows Background Intelligent Transfer Service (BITS) for command and control (C2) communications and to gain complete control of a endpoint.

Deadglyph is the latest addition to Stealth Falcon’s arsenal, according to the Slovakian cybersecurity firm, which analyzed a breach at an unspecified government body in the Middle East.

The exact method used to deliver the plant is currently unknownbut the initial component that triggers its execution is a shellcode loader that extracts and loads shellcode from the Windows Registry, which then launches Deadglyph’s native x64 module, called Executor.

The Executor then proceeds to load a .NET component known as the Orchestrator which, in turn, communicates with the command and control (C2) server to await further instructions. The malware also engages in a number of evasive maneuvers to fly under the radar, including the ability to uninstall itself.

Commands received from the server are queued for execution and can fall into one of three categories: Orchestrator tasks, Executor tasks, and Load tasks.

“Executor tasks offer the ability to manage the backdoor and run additional modules“ESET said. “Orchestrator tasks offer the ability to manage the configuration of the Network and Timer modules and also to cancel pending tasks.”

Some of the identified Executor tasks include creating processes, accessing files, and collecting system metadata. The Timer module is used to periodically probe the C2 server in combination with the Network module, which implements C2 communications using HTTPS POST requests.

Load tasks, as the name suggests, allow the backdoor to load command output and errors.

ESET said it also identified a control panel file (CPL) which was uploaded to VirusTotal by Qatar, which is said to have worked as a starting point for a multi-stage chain paving the way for a shellcode downloader that shares some code similarities with Deadglyph.

While the nature of the shellcode recovered from the C2 server remains unclear, it has been theorized that the content could potentially serve as an installer for the Deadglyph malware.

The name Deadglyph comes from artifacts found in the backdoor (hex IDs 0xDEADB001 and 0xDEADB101 for the Timer module and its configuration), combined with the presence of a homoglyph attack impersonating Microsoft (“Ϻicrоsоft Corpоratiоn”) in the Registry shellcode loader VERSIONINFO.

“Deadglyph boasts a number of counter-detection mechanisms, including continuous monitoring of system processes and the implementation of random network patterns,” the company said. “Additionally, the backdoor is capable of uninstalling itself to minimize the likelihood of its detection in certain cases.”

What to do if you are faced with similar malware

It’s possible that at first Deadglyph is not detected either by good antivirus and antimalware, nor by VirusTotal mentioned above; in that case we will have to wait that the antiviruses are configured by their respective programmers so that they bypass the detection “workaround”, which is a matter of time.

Since this malware supposedly attacks Windows environments having made a preventive backup of the data (which is rarely done) and perhaps a subsequent formatting could be an option if you suspect you have this thing installed on your Windows PC.

Unfortunately until antiviruses acquire the definitions it is difficult to understand if you can have a virus that has not yet been “studied” by antiviruses and antimalware, However, there are clues that can make you understand such as PC slowdowns, programs that weren’t there before and so on.

The computer is a machine and as such requires maintenance, especially by those who use it daily.