Who is behind the attack and how it threatens the Middle East.
Recent research by ESET has drawn attention to a new high-tech backdoor called Deadglyph. The backdoor was discovered while monitoring suspicious activity on the systems of high-profile clients in the Middle East. Researchers with a high degree of confidence attribute Deadglyph to the APT (Advanced Persistent Threat) group Stealth Falcon, known for its espionage operations in the region.
Features of Deadglyph include an unusual architecture consisting of cooperating components written in different programming languages (native x64 binary and .NET assembly), which makes its analysis more complex. The backdoor does not have built-in management commands, instead it dynamically receives them from the command and control (C&C) server as additional modules, which avoids detection.
Deadglyph was used to spy on a government agency in the Middle East, specifically Qatar. The Stealth Falcon Group, also known as Project Raven or FruityArmor, is affiliated with the United Arab Emirates and has been active since 2012. It targets political activists, journalists and dissidents in the Middle East region.
Deadglyph is the latest addition to the Stealth Falcon's arsenal of espionage tools. This backdoor has a complex download chain, including several components, and uses unique methods to install and maintain stability in the victim's system.
ESET researchers also found an associated shellcode loader that is supposed to be used to install Deadglyph. This shellcode loader was found in a signed CPL file uploaded to VirusTotal from Qatar, and has some similarities to the Deadglyph code.
These discoveries highlight the continued use of high-tech threats in the Middle East region and raise questions about the security of cyberspace in this region.
Recent research by ESET has drawn attention to a new high-tech backdoor called Deadglyph. The backdoor was discovered while monitoring suspicious activity on the systems of high-profile clients in the Middle East. Researchers with a high degree of confidence attribute Deadglyph to the APT (Advanced Persistent Threat) group Stealth Falcon, known for its espionage operations in the region.
Features of Deadglyph include an unusual architecture consisting of cooperating components written in different programming languages (native x64 binary and .NET assembly), which makes its analysis more complex. The backdoor does not have built-in management commands, instead it dynamically receives them from the command and control (C&C) server as additional modules, which avoids detection.
Deadglyph was used to spy on a government agency in the Middle East, specifically Qatar. The Stealth Falcon Group, also known as Project Raven or FruityArmor, is affiliated with the United Arab Emirates and has been active since 2012. It targets political activists, journalists and dissidents in the Middle East region.
Deadglyph is the latest addition to the Stealth Falcon's arsenal of espionage tools. This backdoor has a complex download chain, including several components, and uses unique methods to install and maintain stability in the victim's system.
ESET researchers also found an associated shellcode loader that is supposed to be used to install Deadglyph. This shellcode loader was found in a signed CPL file uploaded to VirusTotal from Qatar, and has some similarities to the Deadglyph code.
These discoveries highlight the continued use of high-tech threats in the Middle East region and raise questions about the security of cyberspace in this region.
