NEWS Report

Deadglyph is a sophisticated backdoor with unusual architecture

VirusTotal

It attacked a governmental entity in the Middle East that was compromised for espionage purposes. A related sample found on VirusTotal was also uploaded to the file-scanning platform from this region, specifically from Qatar.

ESET researchers have discovered and analyzed a sophisticated backdoor, used by the Stealth Falcon group, that has been named Deadglyph by ESET. According to the US not-for-profit security organization MITRE, the group is linked to the United Arab Emirates. 

Deadglyph has an unusual architecture, and its backdoor capabilities are provided by its C&C in the form of additional modules. Deadglyph has a range of counter-detection mechanisms and it is capable of uninstalling itself to minimize the likelihood of its detection in certain cases. ESET made the discovery in the midst of routine monitoring of suspicious activities on the systems of high-profile customers, some based in the Middle East region. The victim of the analyzed infiltration is a governmental entity in the Middle East that was compromised for espionage purposes. A related sample found on VirusTotal was uploaded from Qatar. 

ESET derived the name from artifacts found in the backdoor, coupled with the presence of a homoglyph attack. A homoglyph is a deceptive string of characters appearing like a reliable string. In the case of this backdoor, it was mimicking Microsoft Corporation in one instance. This previously undocumented backdoor exhibits a notable degree of sophistication and expertise. The traditional backdoor commands are not implemented in the backdoor binary; instead, they are dynamically received by it from its C&C server in the form of additional modules. This backdoor also features a number of capabilities to avoid being detected, including continuous monitoring of system processes and the implementation of randomized network patterns.

ESET Research has managed to obtain three of these modules, uncovering a fraction of Deadglyph’s full capabilities: process creator, file reader, and info collector. The info collector module collects extensive information about the computer, including details about the operating system, installed software and drivers, processes, services, users, and security software. Additionally, the file reader module is able to read specified files; in one case, the module was used to retrieve the victim’s Outlook data file. Additionally, ESET Research has found a related shellcode downloader that could potentially be used to install Deadglyph. Based on the targeting and additional evidence, with high confidence ESET attributes Deadglyph to the Stealth Falcon APT group. 

Related posts

to GPT or Not to GPT! 

Channel 360 MEA

SPACE-D IoT gateway from DEWA’s R&D

Channel 360 MEA

Modifying existing IT systems is key to improved carbon footprint management for MENA companies!

Channel 360 MEA

Leave a Comment