ESET Discovered an Undocumented Backdoor Used by the Infamous Stealth Falcon Group (Sep 9, 2019)
The Stealth Falcon threat group, which is known for targeting political activists, dissidents and journalists since at least 2012, has been attributed to a newly-discovered backdoor, according to ESET researchers. A binary backdoor analyzed by ESET was found to be similar to “the PowerShell script with backdoor capabilities attributed to the Stealth Falcon group.” The distribution method of the backdoor, dubbed “Win32/StealthFalcon,” was not reported, however, it may be distributed similar to Stealth Falcon’s PowerShell script; a spearphishing containing a weaponized document attachment. The Win32/StealthFalcon backdoor can allow an actor full remote control of an infected machine.
Recommendation: Amnesty International security researcher, Claudio Guarnieri, believes that Stealth Falcon, and Project Raven are the same group. Project Raven was reported on in January 2019 by Reuters and reported to be an initiative by the United Arab Emirates to employ former US intelligence operatives. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.