One sentence summary – A government agency in the Middle East has been targeted by a cyberespionage attack orchestrated by the state-sponsored hacking group Stealth Falcon APT, using a backdoor malware called “Deadglyph” that has previously been associated with campaigns targeting activists, journalists, and dissidents; meanwhile, the P2PInfect worm has seen a surge in activity, targeting poorly secured Redis instances and employing various methods for initial access, with indications of attempted crypto miner payload retrieval and speculation that the developers may be withholding additional functionality or selling access to the botnet.
At a glance
- A government agency in the Middle East was targeted by a sophisticated cyberespionage attack orchestrated by the Stealth Falcon APT, a state-sponsored hacking group believed to be operating from the UAE.
- The attack utilized a backdoor malware called “Deadglyph,” which has been previously associated with the group’s campaigns targeting activists, journalists, and dissidents.
- The Deadglyph malware has a complex infection process involving three key components: a registry shellcode loader, an Executor component, and an Orchestrator component.
- Deadglyph is capable of downloading additional modules from the command and control (C2) server, including a process creator, an info collector, and a file reader.
- Another malware called P2PInfect has seen a surge in activity, targeting poorly secured Redis instances and employing various methods for initial access, including exploiting vulnerabilities and overwriting SSH authorized_keys files.
The details
A recent cyberespionage incident has seen a government agency in the Middle East targeted by a sophisticated attack.
The attack was orchestrated by the Stealth Falcon APT, a state-sponsored hacking group believed to be operating from the UAE.
The group employed a backdoor malware known as “Deadglyph” in the attack.
Deadglyph has been previously associated with the group’s campaigns targeting activists, journalists, and dissidents.
ESET researcher Filip Jurčacko has extensively analyzed the Deadglyph malware and its intricate infection process.
The exact means of initial infection remain unknown, but it is suspected that a malicious executable may be employed.
The loading chain of Deadglyph involves three key components: a registry shellcode loader, an Executor component, and an Orchestrator component.
To evade detection, the initial component exists as a DLL file on the compromised system’s disk.
This DLL file employs homoglyph techniques to mimic legitimate Microsoft information.
Upon execution, the loader retrieves encrypted shellcode from the Windows Registry.
This shellcode is then decrypted and executed by the Executor component.
The Executor component is responsible for loading AES-encrypted configurations, initializing the .NET runtime, and acting as a library.
The Orchestrator component handles communication with the command and control (C2) server.
This enables the malware to receive commands and exfiltrate data.
In the event of communication failure with the C2 server, Deadglyph triggers a self-removal mechanism to prevent analysis.
The malware exhibits modularity, allowing it to download additional modules from the C2 server for expanded functionality.
ESET researchers have obtained three modules so far: a process creator, an info collector, and a file reader.
The process creator enables the execution of specified commands as new processes.
The info collector gathers system data through WMI queries.
The file reader reads file content and can delete files after reading them.
Specific details regarding the initial infection method remain unknown, making it challenging to devise targeted defense strategies.
Defenders can rely on the indicators of compromise (IoCs) released in the report to detect and mitigate potential Deadglyph infections.
In a separate development, the P2PInfect worm has witnessed a surge in activity since late August 2023.
The malware developers have exhibited a high development cadence, resulting in the proliferation of numerous variants in the wild.
The majority of compromised systems have been reported in China, the United States, Germany, the United Kingdom, Singapore, Hong Kong, and Japan.
Initially, P2PInfect targeted poorly secured Redis instances.
It exploited vulnerabilities in the Redis SLAVEOF command and abused the database’s replication feature to deliver its payload.
Recent variants have employed alternative methods for initial access.
These newer versions establish persistence through a cron job and retrieve the malware binary from a peer.
P2PInfect also employs a technique to overwrite SSH authorized_keys files with an attacker-controlled SSH key.
This effectively locks out legitimate users from accessing the compromised system.
The primary payload attempts to change user passwords to a specific format but requires root access.
While the exact objectives of P2PInfect remain unclear, there have been indications of attempted crypto miner payload retrieval.
Speculation suggests that the developers may be withholding additional functionality or potentially selling access to the botnet.
This comprehensive overview of the Deadglyph malware and the P2PInfect worm highlights the sophisticated and evolving nature of cyber threats targeting government agencies and Redis instances.
Organizations are advised to remain vigilant, implement robust security measures, and stay updated on the indicators of compromise associated with these threats.
Article X-ray
Here are all the sources used to create this article:
A computer screen with a lock symbol being infiltrated by a shadowy figure.
This section links each of the article’s facts back to its original source.
If you have any suspicions that false information is present in the article, you can use this section to investigate where it came from.
| bleepingcomputer.com |
|---|
| – A backdoor malware called ‘Deadglyph’ was used in a cyberespionage attack against a government agency in the Middle East. – |
| The malware is attributed to the Stealth Falcon APT, a state-sponsored hacking group from the UAE. – |
| The group has a history of targeting activists, journalists, and dissidents. – ESET researcher Filip Jurčacko analyzed the malware and its infection process. – |
| The means of initial infection are unknown, but it is suspected that a malicious executable is used. – Deadglyph’s loading chain involves a registry shellcode loader, an Executor component, and an Orchestrator component. – |
| The initial component exists as a DLL file on the compromised system’s disk to minimize detection. – |
| The loader loads encrypted shellcode from the Windows Registry. – |
| The DLL component utilizes a homoglyph attack to mimic Microsoft’s information and appear legitimate. – |
| The Executor component loads AES-encrypted configurations, initializes the .NET runtime, and acts as a library. – |
| The Orchestrator component handles command and control server communications. – |
| If communication with the C2 server fails, the malware triggers self-removal to prevent analysis. |
| – Deadglyph is modular and can download new modules from the C2 server for additional functionality. – |
| The modules have access to Windows and custom Executor APIs for various operations. – ESET obtained three modules: a process creator, an info collector, and a file reader. – |
| The info collector gathers system information using WMI queries. |
| – The process creator executes specified commands as a new process. – |
| The file reader reads file content and can delete files after reading. |
| – Detailed information about the initial infection is unknown, making specific defense strategies difficult. – Defenders can rely on the IoCs released in the report for now. |
| thehackernews.com |
|---|
| – P2PInfect, a peer-to-peer worm, has seen a surge in activity since late August 2023. – |
| The malware’s developers are operating at a high development cadence, with a growing number of variants seen in the wild. |
| – Majority of compromises have been reported in China, the U.S., Germany, the U.K., Singapore, Hong Kong, and Japan. |
| – P2PInfect initially breached poorly secured Redis instances but has since used different approaches for initial access. – |
| The malware leverages the Redis SLAVEOF command and abuse of the database’s replication feature to deliver the payload. |
| – Newer variants of P2PInfect have a persistence mechanism using a cron job and a secondary method to retrieve the malware binary from a peer. – P2PInfect overwrites SSH authorized_keys files with an attacker-controlled SSH key, preventing existing users from logging in. – |
| The main payload attempts to change user passwords to a specific format, but this requires root access. – |
| The exact goals of P2PInfect are unclear, but it has attempted to fetch a crypto miner payload. |
| – It is speculated that the developers may be waiting to implement additional functionality or sell access to the botnet. |
English 
Portuguese 
Turkish 
Chinese 
German