ESET researchers discovered a backdoor linked to malware used by the Stealth Falcon group, an operator of targeted spyware attacks against journalists, activists and dissidents in the Middle East
Stealth Falcon is a threat group, active since 2012, that targets political activists and journalists in the Middle East. It has been tracked by the Citizen Lab, a non-profit organization focusing on security and human rights, which published an analysis of a particular cyberattack in 2016. In January of 2019, Reuters published an investigative report into Project Raven, an initiative allegedly employing former NSA operatives and aiming at the same types of targets as Stealth Falcon.
Based on these two reports referring to the same targets and attacks, Amnesty International’s Senior Technologist, Claudio Guarnieri, has concluded that Stealth Falcon and Project Raven actually are the same group.
Some technical information about Stealth Falcon has already been made public – notably, in the already mentioned analysis by the Citizen Lab.
The key component in the attack documented in the Citizen Lab report was a PowerShell-based backdoor, delivered via a weaponized document that was included in a malicious email.
Now, we have found a previously unreported binary backdoor we have named Win32/StealthFalcon. In this article, we disclose similarities between this binary backdoor and the PowerShell script with backdoor capabilities attributed to the Stealth Falcon group. We consider the similarities to be strong evidence that Win32/StealthFalcon was created by this group.
The Win32/StealthFalcon backdoor, which appears to have been created in 2015, allows the attacker to control the compromised computer remotely. We have seen a small number of targets in UAE, Saudi Arabia, Thailand, and the Netherlands; in the latter case, the target was a diplomatic mission of a Middle Eastern country. How the backdoor was distributed and executed on the target systems is beyond the scope of this investigation; our analysis focuses on its capabilities and its C&C communication.
In its communication with the C&C server, Win32/StealthFalcon uses the standard Windows component Background Intelligent Transfer Service (BITS), a rather unusual technique. BITS was designed to transfer large amounts of data without consuming a lot of network bandwidth, which it achieves by sending the data with throttled throughput so as not to affect the bandwidth needs of other applications. It is commonly used by updaters, messengers, and other applications designed to operate in the background. This means that BITS tasks are more likely to be permitted by host-based firewalls.
Compared with traditional communication via API functions, the BITS mechanism is exposed through a COM interface and thus harder for a security product to detect. Moreover, this design is reliable and stealthy. The transfer resumes automatically after being interrupted for reasons like a network outage, the user logging out, or a system reboot. Moreover, because BITS adjusts the rate at which files are transferred based on the bandwidth available, the user has no reason for suspicion.
Win32/StealthFalcon can switch the communication between two C&C servers whose addresses are stored in a registry key, along with other configuration values, and can be updated by one of the backdoor commands. In case the backdoor fails to reach out to its C&C servers, the backdoor removes itself from the compromised system after a preconfigured number of failed attempts.
Win32/StealthFalcon is a DLL file that, after execution, schedules itself as a task running on each user login. It only supports basic commands but displays a systematic approach to data collection, data exfiltration, employing further malicious tools, and updating its configuration.
|CFG||Update configuration data|
|RC||Execute the specified application|
|DL||Write downloaded data to file|
|CF||Prepare a file for exfiltration|
|CFW||Exfiltrate and delete files|
|CFWD||Not implemented/no operation|
Table 1. Backdoor commands
For example, the backdoor’s key capability, downloading and executing files, is achieved via regular checks for libraries named “win*.dll” or “std*.dll” in the directory the malware is executed from, and loading these libraries.
Furthermore, Win32/StealthFalcon collects files and prepares them for exfiltration by storing an encrypted copy with a hardcoded prefix in a temporary folder. It then regularly checks for such files and exfiltrates them automatically. After the files have been successfully exfiltrated, the malware safe-deletes all log files and collected files – before deleting the files, it rewrites them with random data – to prevent forensic analysis and recovery of the deleted data.
The configuration values are stored in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions registry key. All values are prefixed by the malware’s filename (without extension).
|Value name suffix||Content|
|-FontDisposition||Randomly generated, 4-byte victim ID|
|-MRUData||RC4-encrypted C&C domain|
|-MRUList||RC4-encrypted C&C domain|
|-IconPosition||Flag determining which of the C&C domains should be used|
|-IconDisposition||Number of seconds to sleep after each iteration of contacting the C&C server|
|-PopupPosition||Counter of failed attempts to reach the C&C servers|
Table 2. Configuration data stored in registry
Possible trick to evade detection
Of interest is a function that is executed before any malicious payload is started, and which seems redundant. It references 300+ imports, but does not use them at all. Instead, it always returns and continues with the payload afterward, without condition checks that would suggest it is an anti-emulation trick.
Figure 2. A function referencing hundreds of unused imports, possibly added to avoid detection of the malware
We don’t know the precise intention of this function, but we suspect it is either some attempt to evade detection, or some leftover from a larger framework used by the malware authors.
Links to Stealth Falcon
Both Win32/StealthFalcon and the PowerShell-based backdoor described in the Citizen Lab analysis share the same C&C server: the address windowsearchcache[.]com was used as a “Stage Two C2 Server Domain” in the backdoor analyzed by the Citizen Lab, and also in one of the versions of Win32/StealthFalcon.
Both backdoors display significant similarities in code – although they are written in different languages, the underlying logic is preserved. Both use hardcoded identifiers (most probably campaign ID/target ID). In both cases, all network communication from the compromised host is prefixed with these identifiers and encrypted with RC4 using a hardcoded key.
For their C&C server communication, they both use HTTPS but set specific flags for the connection to ignore the server certificate.
We discovered and analyzed a backdoor with an uncommon technique for C&C communication – using Windows BITS – and some advanced techniques to hinder detection and analysis, and to ensure persistence and complicate forensic analysis. Similarities in the code and infrastructure with a previously known malware by Stealth Falcon drive us to the conclusion that the Win32/StealthFalcon backdoor is also the work of this threat group.
Indicators of Compromise (IoCs)
ESET detection name
Note: Malware derives a second RC4 key by XORing each byte of the hardcoded key with 0x3D.
Malware file names
Log file name patterns
X is the malware’s filename (without extension).
BITS job names
MITRE ATT&CK techniques
|Execution||T1059||Command-Line Interface||Malware uses cmd.exe to execute some commands.|
|T1106||Execution through API||Malware uses CreateProcessW API for execution.|
|T1085||Rundll32||Malware uses rundll32.exe to load the backdoor DLL.|
|T1053||Scheduled Task||Malware schedules rundll32.exe to be executed on each login, and subsequently to load the backdoor DLL.|
|Persistence||T1053||Scheduled Task||Malware establishes persistence by scheduling a task that loads the backdoor on each user login.|
|Defense Evasion||T1197||BITS Jobs||Malware uses BITS file transfer mechanism for network communication, in an attempt to avoid detection.|
|T1140||Deobfuscate/Decode Files or Information||Strings are encrypted with a custom XOR cipher.|
|Configuration data and log files are encrypted with RC4, using a hardcoded key.|
|T1107||File Deletion||Malware overwrites files with random data, and deletes them after exfiltration.|
|T1036||Masquerading||Malware attempts to disguise itself by using seemingly-legitimate file names.|
|T1112||Modify Registry||Malware stores its configuration in a registry key.|
|T1027||Obfuscated Files or Information||Strings are encrypted with a custom XOR cipher.|
|Configuration data and log files are encrypted with RC4, using a hardcoded key.|
|Discovery||T1063||Security Software Discovery||Malware terminates itself if McAfee Agent binary (cmdagent.exe) is detected.|
|Collection||T1074||Data Staged||Malware stores collected data in a temporary folder in files named with a hardcoded prefix.|
|T1005||Data from Local System||Malware has a command to collect/steal a file from the compromised system.|
|Command and Control||T1008||Fallback Channels||Malware is able to communicate with two C&C servers; it also supports switching to a different C&C server using a backdoor command.|
|T1105||Remote File Copy||Malware uses BITS Jobs for C&C communication.|
|T1005||Standard Cryptographic Protocol||Malware encrypts C&C communication using RC4 with a hardcoded key.|
|Exfiltration||T1020||Automated Exfiltration||Malware automatically exfiltrates files in a temporary folder in files named with a hardcoded prefix.|
|T1022||Data Encrypted||Malware encrypts the collected data using RC4 with a hardcoded key, prior to exfiltration.|
|T1041||Exfiltration Over Command and Control Channel||Malware exfiltrates data over the C&C channel.|