Researchers at ESET have found an undocumented backdoor linked to malware used by the Stealth Falcon Group to attack individuals in the Middle East.
The infamous threat group has been launching spyware attacks against journalists, political activists, and dissidents since 2012. Individuals targeted by the group are sent an email containing a weaponized document, which delivers a PowerShell-based backdoor.
By probing into the activities of Stealth Falcon, ESET researchers discovered a previously unreported executable backdoor they have named Win32/StealthFalcon. The backdoor appears to have been created in 2015 and can be used to carry out data collection and exfiltration and to employ further malicious tools.
Compared to traditional communication, Win32/StealthFalcon talks with its command and control (C&C) server in an unusual but smart way. Instead of communicating via API functions, this particular backdoor uses the standard Windows component Background Intelligent Transfer Service (BITS).
Choosing BITS was a savvy move by the threat group for two reasons. First, the BITS mechanism is exposed through a Component Object Model (COM), which makes it harder for a security product to detect.
Second, BITS was designed to transfer large amounts of data without consuming a lot of network bandwidth. It's commonly used by updaters, messengers, and other applications designed to operate in the background, meaning that it's likely to be permitted by most firewalls. That's a pretty useful design feature when you're going for stealth.
Another feature of Win32/StealthFalcon is that it is extremely reliable. The transfer resumes automatically after being interrupted by a network outage, the user logging out, or a system reboot.
The ESET investigation also uncovered a small number of attacks carried out with this malware in the United Arab Emirates, Saudi Arabia, and Thailand. An attack was also perpetrated in the Netherlands, where the target was a diplomatic mission of a Middle Eastern country.
Researchers found similarities between the newly discovered executable backdoor and the PowerShell script with backdoor capabilities previously attributed to the Stealth Falcon group. The evidence suggests that both backdoors are the work of the same group.
Stealth Falcon has been linked by Amnesty International’s senior technologist Claudio Guarnieri to another threat group, Project Raven, which allegedly employs former NSA operatives to attack similar targets in the Middle East.