Deadglyph Backdoor

Deadglyph Backdoor: A Sophisticated Espionage Weapon

Stealth Falcon’s ‘Deadglyph’ Backdoor – Recent reports from ESET, a cybersecurity firm, have unveiled a new cyber espionage campaign conducted by the advanced persistent threat (APT) actor known as Stealth Falcon.

This Middle East-based APT group is believed to have strong ties to the United Arab Emirates (UAE) government.

The centerpiece of this campaign is a highly sophisticated modular backdoor called “Deadglyph.”

Deadglyph – A New APT Weapon

According to ESET’s findings, Stealth Falcon has deployed a novel backdoor known as Deadglyph in a cyber-espionage operation targeting a government entity in the Middle East.

The backdoor is notable for its advanced capabilities and complex architecture.

A Modular Approach

One of Deadglyph’s distinguishing features is its modular design.

Unlike traditional malware that contains predefined commands, this one dynamically receives instructions via a command-and-control (C2) server in the form of modules.

This flexibility allows threat actors to adapt their attacks and customize their malicious activities.

ESET managed to retrieve three modules: a process creator, a file reader, and an information collector, but the full extent of it’s capabilities remain concealed.

Anti-Detection Measures In Deadglyph

Stealth Falcon has implemented various anti-detection mechanisms within this advanced backdoor.

The malware continually monitors system processes, employs randomized network patterns, and employs homoglyph techniques to masquerade as legitimate Windows files.

These tactics make it exceptionally challenging to detect and mitigate.

Homoglyph Usage

In a unique twist, Deadglyph uses homoglyphs to hide its presence.

This technique involves replacing standard Latin characters with visually similar characters from different alphabets.

In this case, Cyrillic and Greek characters were used to mimic “Microsoft Corporation,” contributing to its stealthy operation.

The Expansive API Arsenal

Deadglyph’s modules utilize both Windows and custom Executor APIs, offering a wide array of capabilities.

These encompass loading executables, file operations, token impersonation, and encryption and hashing. This diverse API arsenal allows Stealth Falcon to craft highly tailored attacks.

Stealth Falcon, also known as Fruity Armor and Project Raven, has a history of targeting political activists, dissidents, and journalists in the Middle East.

The group’s operations are believed to be state-sponsored and have been ongoing since at least 2012.

For more news and updates on Cybersecurity, visit The Cybersecurity Club.

Photo by Kaur Kristjan on Unsplash

Post navigation

Cyber Attacks Target UAE Banks: Examining The Rise in Attacks

SiegedSec Cyber Campaign Under States Investigation

New Evidence Unveils More Chinese Spy Balloons in the Sky

WordPress Plugins Exposed Credentials of Over a Million Websites