Deadglyph malware: government espionage in the Middle East

A new, highly sophisticated backdoor malware, known as Deadglyph, has been identified in a cyber espionage campaign against a Middle Eastern government agency. This malware is attributed to the Advanced Persistent Threat (APT) group Stealth Falcon, also known as Project Raven or FruityArmor, which operates on behalf of the United Arab Emirates (UAE) government.

Deadglyph attack details

ESET experts have no information on the initial infection vector, but suspect the use of a malicious executable, probably a program installer. However, ESET managed to obtain most of the components involved in the infection chain, highlighting their functioning and attempts to evade detection.

A modular malware

Deadglyph features a modular structure, which allows it to download new modules from the command and control (C2) server. These modules contain several shellcodes that are executed by the Executor component. This modular approach gives threat actors the flexibility to create new modules tailored for specific purposes and send them to compromised systems to carry out further malicious actions.

Ability to gather information and create processes

The information collection module uses Windows Management Instrumentation (WMI) queries to collect a wide range of data about the compromised system, including details about the operating system, network adapters, installed software, drives, services, processes, users, environment variables, security software and more. The process creator serves as a tool for running specified commands as new processes. The results are then communicated to the Orchestrator.