Government-targeted cyber attacks employ stealthy and modular Deadglyph malware

A state-sponsored cyber espionage weapon

Advanced and sophisticated malware used to target government organizations

A brand-new and extremely clever backdoor spyware known as “Deadglyph” has emerged as a significant danger in the constantly changing field of cyber warfare. The deployment of this modular malware in a cyberespionage assault against a Middle Eastern government agency has recently made headlines. Deadglyph is a substantial improvement in the capabilities of the notorious state-sponsored hacking operation Stealth Falcon APT (also known as Project Raven or FruityArmor).

Targeting^[1] activists, journalists, and dissidents for almost a decade is a worrying history for Stealth Falcon APT, also known as Project Raven or FruityArmor. This state-sponsored hacking gang, which is based in the United Arab Emirates (UAE), has proven to be persistent in its pursuit of its online goals. Through this most recent attack, they have demonstrated how their cyber skills have advanced and pushed into the realm of government. Given the likelihood of heightened geopolitical tensions and national security breaches, the consequences of this development are alarming.

A cloak-and-dagger malware

In a report^[2] given at the LABScon cybersecurity conference,^[3] ESET, a cybersecurity research group, offered insightful details on the inner workings of Deadglyph. While the initial infection method is still unknown, ESET's investigation provides insight into how this malware infects Windows devices and manages to avoid detection.

The DLL responsible for extracting code from the Windows registry serves as the first link in the loading chain for Deadglyph. The Executor (x64) component is then loaded by this code, which subsequently loads the Orchestrator (.NET) component. Notably, the chances of discovery are greatly diminished because just the initial component is present as a DLL file on the infiltrated system's disk.

The use of a homoglyph attack in the VERSIONINFO resource, which used distinctive Greek and Cyrillic Unicode characters to impersonate Microsoft's information, is also highlighted in the ESET research. By using this method, it can be disguised even more to look like a genuine Windows file. Due to its highly effective obfuscation techniques, Deadglyph is an extremely dangerous opponent in the world of cyber threats.

The modularity and capabilities of Deadglyph

The modular design of Deadglyph is among its most remarkable features. The malware is able to download fresh modules from its command and control (C2) server, each of which has a different shellcode that the Executor component can run. Threat actors can customize their attacks thanks to this modular strategy, which increases their capacity to engage in a variety of destructive actions.

While only being able to access a small portion of Deadglyph's modules, ESET has discovered certain key features. These consist of a file reader, a process creator, and an information collector. While the process creator launches specified instructions as new processes and passes the outcomes to the Orchestrator, the information collector uses Windows Management Instrumentation (WMI) queries to gather crucial system information. The file reader module also makes it possible to read a file's contents and choose to destroy it after retrieval.

Despite these revelations, Deadglyph's full range of skills is still a mystery. It is difficult to develop particular security tactics against this malware without a thorough understanding of the initial infection vector. To improve their readiness in spotting and countering Deadglyph-based attacks, cybersecurity professionals must for the time being rely on the indicators of compromise (IoCs) listed in ESET's report.