Cybersecurity researchers from ESET have discovered a new, sophisticated piece of malware targeting government organizations in the Middle East.
The malware is dubbed Deadglyph, and apparently is the work of Stealth Falcon APT, a state-sponsored threat actor allegedly from the United Arab Emirates (UAE). This group is also known among some researchers as Project Raven, or FruityArmor, BleepingComputer reports, and targets political activists, journalists, dissidents, and similar individuals.
In its technical writeup, ESET’s researchers explained that Deadglyph is a modular piece of malware, capable of receiving additional modules from its command & control (C2) server, depending on what the operators look to grab from the target endpoint. The modules can use both Windows and custom Executor APIs, meaning the threat actors can use at least a dozen functions. Some of them include loading executable files, accessing Token Impersonation, running encryption, hashing, and more.
Multiple modules
ESET analyzed three modules – a process creator, an information collector, and a file reader. The collector, for example, can tell the threat actors which operating system the victim is using, which network adapters the endpoint has, which software and drivers it has installed, and more. The researchers believe up to 14 modules are available.
There is no word on potential targets, other than the malware was found on a device belonging to a government firm. Earlier reports, however, describe Stealth Falcon as a decade-old threat actor (in operation since at least 2012) that targets political activists and journalists – not government employees.
In 2019, ESET analyzed one of StealthFalcon’s campaigns, concluding that the targets, although small in number, were scattered around the world – in UAE, Saudi Arabia, Thailand, and the Netherlands. In the latter, though, the group targeted a diplomatic mission of a Middle Eastern country.
At the moment there is no information on how the hackers managed to infiltrate the target devices. For now, IT teams can only use indicators of compromise published here.
Via BleepingComputer