ESET researchers have discovered an interesting backdoor linked to malware from the famous Stealth Falcon team
Since 2012, the Stealth Falcon cybercrime group has been attacking political activists and journalists in the Middle East. Some researchers link it to Project Raven, an initiative allegedly involving former NSA collaborators.
To date, limited information about the Stealth Falcon has been released. Among these is a technical analysis of the basic structure of malware. According to this, this is a PowerShell-based backdoor that spread through a document within a malicious email.
ESET researchers first identified an executable backdoor called Win32 / StealthFalcon. They observed a small number of attacks against this malware in the UAE, Saudi Arabia and Thailand, as well as in the Netherlands, where the mission of a Middle Eastern country was targeted here.
According to ESET research, there are similarities between the recently discovered executable backdoor and the PowerShell backdoor assigned to the Stealth Falcon team. ESET researchers believe that these similarities are strong indications that both backdoors are the work of the same team.
Win32 / StealthFalcon uses a rather unusual technique to communicate with the C&C server: the classic Windows service, Background Intelligent Transfer Service (BITS). Compared to traditional API communication, the BITS service uses a COM environment and is therefore more difficult to detect. In addition, this mechanism is reliable and invisible, and is more likely to get approval from the firewalls that detect the host.
In addition to unusual communication with C&C, Win32 / StealthFalcon has some advanced techniques to avoid detection / analysis, to remain robust and to complicate the malware investigation and analysis process.
More details can be found in the blog post ” ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group ” at WeLiveSecurity.com. All the latest developments and surveys are in the ESET Research Team account on Twitter