ESET sheds more light on spyware attacks against political targets in the Middle East
Created: 2019-09-09 11:01:00
ESET researchers discovered a backdoor, with interesting features, linked to malware used by the infamous Stealth Falcon group
BRATISLAVA – Stealth Falcon is a threat group, active since 2012, that targets political activists and journalists in the Middle East. Some analysts link it to Project Raven, an initiative allegedly employing former NSA operatives. Read more details on this link.
Limited technical information about Stealth Falcon has already been made public, including an analysis of the key component of the malware – a PowerShell-based backdoor delivered via a weaponized document that was included in a malicious email.
ESET researchers discovered a previously unreported executable backdoor they named Win32/StealthFalcon. They have seen a small number of attacks with this malware in UAE, Saudi Arabia, Thailand, and the Netherlands; in the latter case, the target was a diplomatic mission of a Middle Eastern country.
ESET research has revealed similarities between the newly discovered executable backdoor and the PowerShell script with backdoor capabilities previously attributed to the Stealth Falcon group. ESET researchers consider the similarities to be strong evidence that both backdoors are the work of the same group.
Win32/StealthFalcon uses a rather unusual technique to communicate with its command and control (C&C) server: the standard Windows component Background Intelligent Transfer Service (BITS).
Compared to traditional communication via API functions, the BITS mechanism is exposed through a COM interface and thus is harder to detect. Moreover, this design is reliable and stealthy, and more likely to be permitted by host firewalls.
In addition to its unusual C&C communication, Win32/StealthFalcon has some advanced techniques to prevent detection/analysis, ensure persistence and complicate forensic analysis.
For more details, read the blogpost “ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group” on WeLiveSecurity. Make sure to follow ESET research on Twitter for the latest news from ESET research.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.