New Stealthy and Modular Deadglyph Malware Used in Govt Attacks

Cyber Security Threat Summary:
A highly advanced backdoor malware called 'Deadglyph' was recently employed in a cyber espionage operation targeting a Middle Eastern government agency. This sophisticated malware, known as Deadglyph, has been linked to the Stealth Falcon Advanced Persistent Threat (APT) group, also known as Project Raven or FruityArmor. This hacking group operates with the support of a state, specifically the United Arab Emirates (UAE). Stealth Falcon APT has a notorious history of pursuing activists, journalists, and dissidents for nearly a decade.

“In a new report released at the LABScon cybersecurity conference, ESET researcher Filip Jurčacko shares analysis of the new modular malware and how it infects Windows devices. ESET does not have insight into the means of initial infection, but it is suspected that a malicious executable, possibly a program installer, is used. However, ESET obtained most of the components of the infection chain to paint a picture of how the malware operates and attempts to evade detection. Deadglyph's loading chain begins with a registry shellcode loader (DLL) that extracts code from the Windows registry to load the Executor (x64) component, which in turn loads the Orchestrator (.NET) component. Only the initial component exists on the compromised system's disk as a DLL file, minimizing the likelihood of detection” (BleepingComputer, 2023).

ESET reports that the loader retrieves encrypted shellcode from the Windows Registry, adding complexity to the analysis. As the DLL component is stored on the filesystem, it's more susceptible to detection. Consequently, the threat actors employed a homoglyph attack within the VERSIONINFO resource, using distinct Unicode characters that visually resemble Microsoft's details but are not identical, such as Greek Capital Letter San (U+03FA, Ϻ) and Cyrillic Small Letter O (U+043E, о) in "Ϻicrоsоft Corpоratiоn." The Executor component performs various tasks, including loading AES-encrypted configurations for the backdoor, initializing the .NET runtime, and acting as the backdoor's library. The Orchestrator manages command and control (C2) communications through modules named 'Timer' and 'Network.' In the event of communication failure with the C2 server, the backdoor triggers a self-removal mechanism to thwart analysis by researchers and cybersecurity experts.

Security Officer Comments:
The Deadglyph malware is modular, meaning it downloads new modules from the C2 server, each containing different shellcodes executed by the Executor component. This modular approach enables threat actors to create tailored attacks with new modules for additional malicious functions. These modules utilize Windows and custom Executor APIs, offering 39 functions for various actions like file operations, executing programs, accessing Token Impersonation, and encryption/hashing. ESET identified three out of possibly nine to fourteen modules: a process creator, an info collector, and a file reader. The info collector gathers system details using WMI queries, while the process creator executes commands as new processes and reports results to the Orchestrator. The file reader module reads file content and allows for file deletion. Although ESET only uncovered a portion of Deadglyph's capabilities, it highlights the formidable threat posed by Stealth Falcon's Deadglyph

Suggested Correction(s):
Although only a fraction of the malware’s capabilities were uncovered by ESET and the initial access vector still unknown to researchers, for now defenders can rely on existing IOCs published in the report: