Cyberwarfare UAE-Linked APT Targets Middle East Government With New ‘Deadglyph’ Backdoor
Introduction
An advanced persistent threat (APT) group known as Stealth Falcon, believed to be linked to the United Arab Emirates (UAE) government, has recently been observed deploying a new backdoor called Deadglyph in an attack targeting a governmental entity in the Middle East. Deadglyph is a sophisticated malware that uses multiple components to establish command-and-control communication and execute commands on infected systems.
The Deadglyph Backdoor
The Deadglyph backdoor consists of a native x64 binary that acts as an executor, and a .NET assembly that acts as an orchestrator. The backdoor is delivered on the system in the form of a DLL that abuses Windows Management Instrumentation (WMI) event subscription for persistence. Once executed, the DLL loads and executes encrypted shellcode stored in the Windows registry, leading to the execution of the executor component of Deadglyph. This component is responsible for loading configurations, initializing the .NET runtime, and loading the orchestrator component.
Command-and-Control Communication
The .NET component of Deadglyph establishes command-and-control (C&C) communication and executes commands sent by the C&C server periodically, at random intervals, to prevent detectable patterns. The C&C server sends commands to the backdoor in the form of tasks. The orchestrator can be instructed to modify network and timer modules’ configurations, while the executor tasks are responsible for managing the backdoor and running additional modules.
Functionality of the Backdoor
ESET, the cybersecurity firm that discovered Deadglyph, estimates that the executor component can fetch up to fourteen different modules that serve as backdoor commands. These modules are served as DLLs with unnamed exports. The modules can resolve Windows APIs and custom Executor APIs for various functions, including file operations, encryption and hashing, compression, PE loading, utility, and access token impersonation. One of the modules is designed to collect extensive information about the infected system, including the operating system, network adapters, installed applications, drivers, services, drives, processes, users, security software, and environment variables.
Stealth Falcon and the United Arab Emirates
Stealth Falcon, the APT group behind the Deadglyph backdoor, has been active since at least 2012 and is believed to be linked to the UAE government. The group is known for its targeting of journalists, activists, and dissidents. Amnesty International concluded in 2019 that Stealth Falcon is the same group as Project Raven, an initiative allegedly composed of former NSA operatives. The UAE government has denied any involvement in the development or deployment of the Deadglyph backdoor.
Analysis and Implications
The discovery of the Deadglyph backdoor and its deployment by Stealth Falcon raises significant concerns about cybersecurity and the use of cyber weapons by nation-states. The sophistication of the malware and the ability to evade detection highlights the increasing complexity and evolving nature of cyber threats. The specific targeting of a governmental entity in the Middle East suggests political motivations and the desire to gather intelligence.
The Role of Backdoors in Cyberwarfare
Backdoors like Deadglyph are powerful tools in the arsenal of cyberwarfare. They provide unauthorized access to a system, allowing attackers to control and manipulate it, gather sensitive information, and potentially disrupt critical infrastructure. The use of backdoors by nation-states raises ethical questions and concerns over state-sponsored surveillance, espionage, and potential offensive capabilities in cyberspace.
Advice for Governments and Organizations
The discovery and deployment of advanced malware like Deadglyph highlight the urgent need for improved cybersecurity measures at both the government and organizational levels. To mitigate the risks of APTs and targeted attacks, the following steps should be taken:
1. Strengthen Network Security
Organizations must implement robust network security measures, including firewalls, intrusion detection and prevention systems, and endpoint protection. Regular vulnerability assessments and penetration testing can help identify and address security weaknesses.
2. Enhance Employee Awareness
Phishing and social engineering attacks remain common entry points for APTs. Educating employees about the risks and providing regular training on how to identify and respond to suspicious emails, links, and attachments is crucial in preventing successful attacks.
3. Implement Multifactor Authentication
Using multifactor authentication significantly reduces the risk of unauthorized access to systems and accounts. By requiring users to provide multiple forms of verification, such as a password and a unique code sent to their mobile device, organizations can enhance security and protect against credential theft.
4. Regularly Update and Patch Systems
Keeping software, operating systems, and applications up to date with the latest security patches is essential in preventing attackers from exploiting known vulnerabilities. Organizations should establish regular patching routines and continuously monitor for new updates.
5. Conduct Threat Intelligence and Monitoring
Investing in robust threat intelligence capabilities can help organizations identify and respond to APTs and targeted attacks. Continuous monitoring of network traffic, system logs, and user activities can provide early warning signs of potential compromises.
6. Collaborate with the Cybersecurity Community
Open collaboration and information sharing among governments, organizations, and cybersecurity researchers are vital in combating APTs and enhancing overall cybersecurity. Sharing threat intelligence, best practices, and lessons learned can strengthen defenses and help detect and respond to evolving threats.
Conclusion
The discovery of the Deadglyph backdoor and its deployment by Stealth Falcon highlight the evolving threat landscape and the need for heightened cybersecurity measures. Governments and organizations must invest in robust security practices, employee awareness, and collaboration to mitigate the risks posed by APTs and targeted attacks. The development and use of advanced malware by nation-states raise important ethical and philosophical questions about the role of cybersecurity in the modern world.
<< photo by Dan Nelson >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- The Ever-Spinning CISO Carousel: Implications for Enterprise Cybersecurity
- “Unmasking the Vulnerabilities: Examining the $200 Million Mixin Network Hack”
- Unveiling the Menace: Xenomorph Banking Trojan Strikes 35+ U.S. Financial Institutions
- Rise of Xenomorph: Exploring the Menace of an Android Banking Trojan Targeting Users in US and Canada
- The Rising Perils: High Tech Industry Bears the Brunt of NLX-Tagged Attacks with 46% Traffic
- Chinese Hackers Expand Cyber Espionage Campaign, Targeting South Korean Organizations for Years
- Cybersecurity Chronicles: An Updated Insight into Naked Security
- Uncovering the Latest Cybersecurity Threat: SPECTRALVIPER’s New Backdoor Attack on Vietnamese Public Companies
- UAE-Linked ‘Stealth Falcon’ APT Mimics Microsoft in Homoglyph Attack: A Closer Look at State-Sponsored Cyber Espionage Tactics
- Unveiling the Elusive Tactics of the UAE-Linked ‘Stealth Falcon’ APT
- Predator Spyware: Exploiting Zero-Days and MitM Attacks to Invade iOS and Android Devices
