Emergence of New and Advanced Deadglyph Malware in Government Cyber Attacks

In a recent cyberespionage operation targeting a government agency in the Middle East, a highly sophisticated backdoor malware named ‘Deadglyph’ has surfaced, raising concerns among cybersecurity experts.

The origins of the Deadglyph malware are traced back to the Stealth Falcon Advanced Persistent Threat (APT) group, also known as Project Raven or FruityArmor. This state-sponsored hacking collective hails from the United Arab Emirates (UAE) and has gained notoriety over nearly a decade for its persistent targeting of activists, journalists, and dissidents.

At the LABScon cybersecurity conference, ESET researcher Filip Jurčacko unveiled a comprehensive analysis of this newly discovered modular malware and its infiltration methods on Windows-based devices.

While the exact means of initial infection remain elusive, suspicions point toward the utilization of a malicious executable, potentially a program installer.

ESET, however, has managed to uncover many components of the infection chain, shedding light on the malware’s intricate workings and its relentless pursuit of avoiding detection.

The Deadglyph malware’s loading process initiates with a registry-based shellcode loader (DLL). This DLL extracts code stored within the Windows registry to activate the Executor (x64) component, which subsequently loads the Orchestrator (.NET) component.

Significantly, only the initial component exists on the compromised system’s disk as a DLL file, significantly reducing the chances of detection.

ESET notes that the loader retrieves encrypted shellcode from the Windows Registry, adding a layer of complexity to analysis.

Recognizing that the DLL component, when stored on the filesystem, is more susceptible to detection, the threat actors deployed a clever homoglyph attack within the VERSIONINFO resource. This attack utilized distinct Greek and Cyrillic Unicode characters to mimic Microsoft’s information and give the appearance of a legitimate Windows file.

ESET’s report elaborates on this tactic, stating, “We spotted a homoglyph attack mimicking Microsoft Corporation in the VERSIONINFO resource of this and other PE components. This method employs distinct Unicode characters that appear visually similar, but in this case not identical, to the original characters, specifically Greek Capital Letter San (U+03FA, Ϻ) and Cyrillic Small Letter O (U+043E, о) in Ϻicrоsоft Corpоratiоn.”

The Executor component plays a pivotal role in loading AES-encrypted configurations for the backdoor, initializing the .NET runtime on the system, loading the .NET segment of the backdoor, and serving as its library.

The Orchestrator component manages communication with the command and control server (C2) and employs two modules, ‘Timer’ and ‘Network,’ for this purpose.

In the event of failed communication with the C2 server within a specified timeframe, the backdoor triggers a self-removal mechanism to thwart analysis by cybersecurity researchers.

One of the standout features of the Deadglyph malware is its modularity. It dynamically downloads new modules from the C2 server, each containing distinct shellcodes for execution by the Executor component.

This modular approach empowers threat actors to craft new modules tailored to specific attacks, which can then be deployed to victims to execute a range of malicious functions.

These modules are equipped with both Windows and custom Executor APIs, the latter offering an impressive array of 39 functions, enabling actions such as file operations, executable loading, Token Impersonation, encryption, and hashing.

While ESET has identified the existence of nine to fourteen different modules, they have only been able to obtain information on three: a process creator, an information collector, and a file reader.

The process creator module serves as a command execution tool, enabling the execution of specified commands as new processes and relaying the results to the Orchestrator.

Conversely, the file reader module reads the content of files and forwards it to the Orchestrator, providing the operators with the option to delete the file after retrieval.

Although ESET’s research has unveiled only a fraction of the malware’s capabilities, it is abundantly clear that Stealth Falcon’s Deadglyph poses a formidable threat to cybersecurity.

Given the lack of detailed information regarding the initial infection vector, providing precise defense strategies against this malware remains a daunting challenge.

For now, defenders must rely on the existing Indicators of Compromise (IoCs) released in the report to bolster their security posture.