Stealth Falcon preying over Center Japanese skies with Deadglyph

For years, the Center East has maintained its status as a fertile floor for superior persistent threats (APTs). Within the midst of routine monitoring of suspicious actions on the methods of high-profile prospects, some primarily based on this area, ESET Analysis stumbled upon a really refined and unknown backdoor that now we have named Deadglyph. We derived the title from artifacts discovered within the backdoor (akin to 0xDEADB001, proven additionally in Desk 1), coupled with the presence of a homoglyph assault. To the most effective of our data, that is the primary public evaluation of this beforehand undocumented backdoor, utilized by a gaggle that displays a notable diploma of sophistication and experience. Primarily based on the concentrating on and extra proof, we attribute Deadglyph with excessive confidence to the Stealth Falcon APT group.

Deadglyph’s structure is uncommon because it consists of cooperating parts – one a local x64 binary, the opposite a .NET meeting. This mix is uncommon as a result of malware sometimes makes use of just one programming language for its parts. This distinction would possibly point out separate improvement of these two parts whereas additionally benefiting from distinctive options of the distinct programming languages they make the most of. Completely different language may also be harnessed to hinder evaluation, as a result of blended code is harder to navigate and debug.

The standard backdoor instructions will not be carried out within the backdoor binary; as an alternative, they’re dynamically acquired by it from the command and management (C&C) server within the type of extra modules. This backdoor additionally options plenty of capabilities to keep away from being detected.

On this blogpost, we take a better have a look at Deadglyph and supply a technical evaluation of this backdoor, its function, and among the extra parts we obtained. We’re additionally presenting our findings about Deadglyph on the LABScon 2023 convention.

Key factors of the blogpost:

• ESET Analysis found a complicated backdoor with uncommon structure that now we have named Deadglyph.
• The primary parts are encrypted utilizing a machine-specific key.
• Conventional backdoor instructions are carried out by way of extra modules acquired from its C&C server.
• We obtained three out of many modules – course of creator, file reader, and information collector.
• We attribute Deadglyph to the Stealth Falcon group.
• Moreover, we discovered a associated shellcode downloader; we postulate it might probably be used for set up of Deadglyph.

The sufferer of the analyzed infiltration is a governmental entity within the Center East that was compromised for espionage functions. A associated pattern discovered on VirusTotal was additionally uploaded to the file-scanning platform from this area, particularly from Qatar. The focused area is depicted on the map in Determine 1.

Stealth Falcon (often known as Venture Raven or FruityArmor) is a risk group linked to the United Arab Emirates in accordance with MITRE. Lively since 2012, Stealth Falcon is understood to focus on political activists, journalists, and dissidents within the Center East. It was first found and described by Citizen Lab, which printed an evaluation of a marketing campaign of spy ware assaults in 2016.

In January 2019, Reuters printed an investigative report on Venture Raven, an initiative allegedly using former NSA operatives and aiming on the similar kinds of targets as Stealth Falcon. Primarily based on these two reviews referring to the identical targets and assaults, Amnesty Worldwide has concluded (proven in Determine 2) that Stealth Falcon and Venture Raven really are the identical group.

In September 2019, we printed analysis on a backdoor, attributed to Stealth Falcon, that used an uncommon method, Background Clever Switch Service, for C&C communication. We now reveal the results of our in-depth evaluation of what presumably is the most recent addition to Stealth Falcon’s espionage toolset.

Deadglyph backdoor

Deadglyph’s loading chain consists of a number of parts, as illustrated in Determine 3. The preliminary part is a registry shellcode loader, which masses shellcode from the registry. This extracted shellcode, in flip, masses the native x64 a part of the backdoor – the Executor. The Executor subsequently masses the .NET a part of the backdoor – the Orchestrator. Notably, the one part on system’s disk as a file is the preliminary part, which is within the type of a Dynamic Hyperlink Library (DLL). The remaining parts are encrypted and saved inside a binary registry worth.

Whereas the exact methodology of the preliminary compromise vector just isn’t but decided, our suspicion is that an installer part is concerned in deploying additional parts and establishing persistence throughout the system.

In the remainder of this part, we analyze every part.

Registry shellcode loader

Deadglyph’s preliminary part is a tiny DLL with a single export, named 1. This part is continued utilizing Home windows Administration Instrumentation (WMI) occasion subscription and serves as a registry shellcode loader. It’s executed by way of the command line rundll32 C:WINDOWSSystem32pbrtl.dll,#1.

The registry shellcode loader begins its operation by decrypting the trail to the encrypted shellcode saved throughout the Home windows registry, utilizing RC4. We suspect the trail is exclusive for every sufferer; within the case analyzed right here, the registry path was:

SoftwareClassesCLSID{5abc7f42-1112-5099-b082-ce8d65ba0c47}cAbRGHLg

The foundation registry secret is both HKLM or HKCU, relying on whether or not the present course of is working with elevated privileges or not. The identical logic could be present in additional parts.

Following this, the loader derives a machine-specific RC4 key utilizing the system UUID retrieved from the uncooked SMBIOS firmware desk. Utilizing this key, it masses, decrypts, after which executes the shellcode. You will need to spotlight that this key derivation strategy ensures that correct decryption gained’t happen if the loader is executed on a unique laptop.

Apparently, the loader may also be configured by a flag in its .information part to make use of a hardcoded key to decrypt the shellcode, as an alternative of the machine-specific one.

We noticed a homoglyph assault mimicking Microsoft Company within the VERSIONINFO useful resource of this and different PE parts. This methodology employs distinct Unicode characters that seem visually related, however on this case not equivalent, to the unique characters, particularly Greek Capital Letter San (U+03FA, Ϻ) and Cyrillic Small Letter O (U+043E, о) in Ϻicrоsоft Corpоratiоn.

Registry shellcode

Comprised of two components, the registry shellcode consists of a decryption routine and an encrypted physique. First, the decryption routine rotates every byte of the encrypted physique to the left by one (ROL 0x01). Subsequently, management is transferred to this decrypted physique. The decrypted physique consists of a PE loader and a PE file, the latter being the Executor, which represents the native a part of the backdoor. This loader is answerable for parsing and loading the related PE file.

Executor

The Orchestrator first masses its configuration and two embedded modules, every accompanied by its personal set of configurations, from assets. These assets are Deflate compressed and AES encrypted. They’re referenced by an ID that’s SHA-1 hashed right into a useful resource title. An outline of those assets is supplied in Desk 1.

Desk 1. Orchestrator assets

The configuration of the Orchestrator and embedded modules is saved in XML format. An instance of an Orchestrator configuration is proven in Determine 4.

The outline of Orchestrator configuration entries is proven in Desk 2.

Desk 2. Orchestrator configuration entries

After the useful resource parts are loaded, a number of threads are created to hold out distinct duties. One in every of these threads is answerable for conducting setting checks, a perform carried out throughout the Executor. One other thread is dedicated to establishing periodic communication with the C&C server, enabling the retrieval of instructions. Lastly, a set of three threads is employed for the aim of executing acquired instructions and subsequently transmitting any generated output again to the C&C server.

The environment-checking thread screens working processes to determine undesirable ones. This thread operates with two distinct lists of course of names. If a course of on the primary listing is detected, C&C communication and command execution is paused till the undesirable course of not exists. If there’s a match for any course of on the second listing, the backdoor instantly quits and uninstalls itself.

Neither listing was configured within the analyzed occasion, so we don’t know what processes would possibly sometimes be checked for; we consider it’s most likely supposed to evade evaluation instruments that might detect suspicious exercise and result in discovery of the backdoor.

Communication

The Orchestrator makes use of two embedded modules for C&C communication – Timer and Community. Just like the Orchestrator, these modules are obfuscated with .NET Reactor. The configuration for each modules is provided by the Orchestrator. Inside the Orchestrator, a preset configuration for the modules is included; optionally, the Orchestrator also can load an up to date configuration model from the registry:

HKLMSoftwareClassesCLSID{<variable_GUID>}<mod_cfg_res_ID>

The backdoor comprises an fascinating security measure associated to communication. If the backdoor is unable to ascertain communication with the C&C server for a period surpassing a predefined threshold, configured throughout the Executor, a self-uninstallation mechanism is triggered. This time threshold is laid out in hours and was set at one hour within the examined case.

This strategy serves a twofold function. On one hand, it prevents the era of redundant community requests in direction of an inaccessible server. Then again, it reduces the probabilities of subsequent detection if the operators lose management over the backdoor.

Timer module

This small module executes the desired callback at a configurable interval. It’s utilized by the Orchestrator together with the Community module to speak with the C&C server periodically. To forestall the creation of detectable patterns in community logs, the execution interval is topic to randomization, primarily based on a proportion specified within the configuration. Within the analyzed occasion, the interval was set to 5 minutes, with a ±20% variation launched for randomness.

One other methodology to keep away from detectable community patterns in periodic communication could be present in era of requests despatched to the C&C server. This mechanism, carried out within the Executor, entails the inclusion of padding of various size, comprised of random bytes, throughout the requests, leading to requests of numerous sizes.

Community module

The Community module implements communication with the C&C servers laid out in its configuration. It might ship information to a C&C server utilizing HTTP(S) POST requests. Notably, it gives a number of mechanisms to amass proxy configuration particulars. This characteristic suggests a possible give attention to environments the place direct web entry just isn’t accessible.

An instance of a decrypted (and beautified) configuration is proven in Determine 5.

Configuration entries include particulars associated to community communications – C&C URLs, HTTP Consumer-Agent, and optionally a proxy configuration.

When speaking with the C&C server, a customized binary protocol with encrypted content material is used beneath HTTPS.

Instructions

The Orchestrator receives instructions from the C&C server within the type of duties, that are queued for execution. There are three sorts of duties processed:

• Orchestrator duties,
• Executor duties, and
• Add duties.

The primary two varieties are acquired from the C&C server and the third is created internally to add the output of instructions and errors.

Orchestrator duties

Orchestrator duties supply the flexibility to handle the configuration of the Community and Timer modules, and likewise to cancel pending duties. The overview of Orchestrator duties is proven in Desk 3.

Desk 3. Orchestrator duties

Executor duties

Executor duties supply the flexibility to handle the backdoor and execute extra modules. It’s notable that the standard backdoor performance just isn’t inherently current throughout the binary itself. As an alternative, these capabilities are obtained from the C&C server within the type of PE recordsdata or shellcode. The total extent of the backdoor’s potential stays unknown with out these extra modules, which successfully unlock its true capabilities. An outline of module duties is proven in Desk 4, which incorporates particulars in regards to the few recognized modules. Equally, Desk 5 supplies an outline of administration duties related to the Executor.

Desk 4. Executor duties – modules

Desk 5. Executor duties – administration

The command that units the Executor configuration can change the:

• undesirable course of lists,
• time threshold of C&C communication failure, and
• time restrict for execution of extra modules.

Modules

We managed to acquire three distinctive modules from the C&C server, every similar to a unique Executor process sort, as proven in Desk 4. Primarily based on accessible data, we estimate there are 9 to 14 modules in complete. Because the modules are the truth is backdoor instructions, they’ve one fundamental operation to execute after which optionally return their output. The modules we obtained are DLLs with one unnamed export (ordinal 1), by which they resolve obligatory API capabilities and name the primary perform.

When executed, the modules are supplied with an API decision perform, which may resolve Home windows APIs and customized Executor APIs. The Home windows APIs are referenced by a DWORD hash, calculated from the title of the API and its DLL. Small hash values (<41) are handled specifically, referencing the Executor API perform. The Executor API includes a complete of 39 capabilities which are accessible to the modules. These capabilities pertain to quite a lot of operations, together with:

• file operations,
• encryption and hashing,
• compression,
• PE loading,
• entry Token Impersonation, and
• utility.

In the remainder of this part, we describe the modules that we obtained.

Course of creator

Module 0x69 executes the desired command line as a brand new course of and supplies the ensuing output again to the Orchestrator. The method could be created underneath a unique consumer, and its execution time could be restricted. Notably, an uncommon Job API is used on this module’s performance.

This module was served with the command line cmd.exe /c tasklist /v.

We assume it serves as an idle command issued routinely, whereas the operators watch for one thing fascinating to occur on the compromised laptop.

Data collector

Module 0x6C collects in depth details about the pc by way of WMI queries and passes it again to the Orchestrator. Details about the next is collected:

• working system,
• community adapters,
• put in software program,
• drives,
• companies,
• drivers,
• processes,
• customers,
• setting variables, and
• safety software program.

File reader

Module 0x64 reads the desired file and passes the content material again to the Orchestrator. Optionally, it could actually delete the file after studying.

We noticed this module used to retrieve the sufferer’s Outlook information file

c:Customers<redacted>AppDataLocalMicrosoftOutlookoutlook.ost.

Chain with shellcode downloader

Within the means of investigating Deadglyph, we encountered a doubtful CPL file signed with an expired certificates and no countersignature with a timestamp, which had been uploaded to VirusTotal from Qatar. Upon nearer examination, it turned evident that this CPL file functioned as a multistage shellcode downloader, sharing sure code resemblances with Deadglyph. The loading chain is illustrated in Determine 6.

In its preliminary kind, which serves as the primary stage, this file anticipates having a .cpl extension (Management Panel file) and is supposed to be executed by way of a double-click motion. Upon execution on this method, the embedded shellcode undergoes XOR decryption, and the working processes are checked to determine an appropriate host course of for subsequent injection.

If avp.exe (a Kaspersky endpoint safety course of) is working, %windirpercentsystem32UserAccountBroker.exe is used. In any other case, the default browser is used. Then, it creates the host course of in a suspended state, injects the shellcode by hijacking its important thread, and resumes the thread.

The second stage, the shellcode, consists of two components. The primary a part of the shellcode resolves API hashes, utilizing the identical distinctive hash calculation method employed in Deadglyph, and decrypts strings with course of names. It begins a self-delete thread tasked with overwriting and subsequently erasing the first-stage file. Following this, the shellcode proceeds to examine the at the moment energetic processes, concentrating on a safety answer.

If any of the desired processes are detected, the shellcode creates a sleeper thread with the bottom precedence (THREAD_PRIORITY_IDLE) and permits it to stay energetic for a period of 60 seconds earlier than terminating its operation. This interval is probably going carried out as a precautionary measure to evade sure detection mechanisms employed by safety options. Lastly, the shellcode proceeds to invoke the execution of the second a part of its code.

The second a part of the shellcode masses an embedded PE file with stage three and calls its export with ordinal quantity 1.

The third stage, a DLL, serves as a .NET loader and comprises the payload in its .rsrc part.

To load the payload, the .NET runtime is initialized. Through the .NET initialization, two intriguing strategies are carried out, seemingly supposed to evade Home windows Antimalware Scan Interface (AMSI) scanning:

• The .NET loader quickly hooks the GetModuleHandleW import within the loaded clr.dll, whereas calling ICorRuntimeHost::Begin. The hook tampers with the return worth when GetModuleHandleW is named with NULL. It returns a pointer to a dummy PE with no sections.
• It then subtly patches the AmsiInitialize import title string within the .rdata part of the loaded clr.dll to amsiinitialize.

The fourth stage is a .NET meeting, obfuscated with ConfuserEx, that serves as a shellcode downloader. First, it XOR-decrypts its configuration in XML format from its assets. A beautified model of the extracted configuration is introduced in Determine 7. The configuration entries include particulars associated to community communication and blocklisted processes.

Earlier than continuing, it checks the working processes towards an inventory of blocklisted processes from the configuration. If a match is detected, the execution halts. You will need to notice that within the analyzed occasion, this blocklist wasn’t arrange.

Subsequent, it sends an HTTP GET request to the C&C server to retrieve some shellcode, utilizing parameters specified within the configuration (URL, Consumer-Agent, and optionally Proxy). Regrettably, throughout our investigation we have been unable to amass any shellcode from the C&C server. Nonetheless, we hypothesize that the content material being retrieved might probably function the installer for Deadglyph.

Following this, the retrieved shellcode is executed inside a newly created thread. After ready till the shellcode thread finishes execution, the shellcode downloader removes all recordsdata positioned within the listing %WINDIRpercentServiceProfilesLocalServiceAppDataLocalTempTfsStoreTfs_DAV.

Lastly, it makes an try to delete itself after a 20-second interval, using the following command, earlier than concluding its operation and exiting:

cmd.exe selection /C Y /N /D Y /T 20 & Del /f /q <current_process_exe_path>

This self-deletion doesn’t make sense on this chain. This is because of the truth that the shellcode downloader is executed inside a browser or system course of after being injected, reasonably than working as an impartial executable. Furthermore, the preliminary file was already deleted by the second stage. This statement means that the shellcode downloader may not be an unique payload of this chain and can also be used individually in different operations.

Conclusion

We’ve found and analyzed a complicated backdoor utilized by the Stealth Falcon group that now we have named Deadglyph. It has an uncommon structure, and its backdoor capabilities are supplied by its C&C within the type of extra modules. We managed to acquire three of those modules, uncovering a fraction of Deadglyph’s full capabilities.

Notably, Deadglyph boasts a spread of counter-detection mechanisms, together with steady monitoring of system processes and the implementation of randomized community patterns. Moreover, the backdoor is able to uninstalling itself to attenuate the chance of its detection in sure circumstances.

Moreover, our investigation led us to the invention of a compelling multistage shellcode downloader chain on VirusTotal. We suspect this downloader chain is probably going leveraged within the set up means of Deadglyph.

For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Analysis gives non-public APT intelligence reviews and information feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.

IoCs

Recordsdata

C&C servers

This desk was constructed utilizing model 13 of the MITRE ATT&CK framework.