One sentence summary – Cybersecurity researchers have discovered a new advanced backdoor called Deadglyph, attributed to the threat actor Stealth Falcon, which uses different programming languages to hinder analysis and receives commands from an actor-controlled server to carry out various tasks; meanwhile, security teams express concerns about the permission scopes granted to third-party apps connected to hub apps, as malicious apps can perform unauthorized activities with data and pose risks such as data encryption and SaaS ransomware attacks.
At a glance
- Cybersecurity researchers have discovered a new advanced backdoor called Deadglyph, attributed to Stealth Falcon.
- Deadglyph’s architecture consists of cooperating components, one being a native x64 binary and the other a .NET assembly.
- Stealth Falcon, also known as FruityArmor, has been linked to targeted spyware attacks in the Middle East and has used more zero-day exploits than any other group from 2016 to 2019.
- Deadglyph was discovered during an intrusion at a Middle Eastern governmental entity and engages in evasive maneuvers to avoid detection.
- Security teams express concerns about the permission scopes granted to third-party apps connected to hub apps, and SaaS Security Posture Management (SSPM) solutions can help identify and assess the risk of integrated third-party apps.
The details
Cybersecurity researchers have discovered a new advanced backdoor called Deadglyph, which has been attributed to the threat actor Stealth Falcon.
Deadglyph’s architecture is unusual as it consists of cooperating components, one being a native x64 binary and the other a .NET assembly.
The use of different programming languages may be a deliberate tactic employed by Stealth Falcon to hinder analysis.
Deadglyph receives commands from an actor-controlled server in the form of additional modules, allowing it to create new processes, read files, and collect information.
Stealth Falcon and Project Raven
Stealth Falcon, also known as FruityArmor, was first exposed in 2016 and has been linked to targeted spyware attacks in the Middle East.
The group is believed to be the same as Project Raven, a clandestine operation involving former U.S. intelligence operatives spying on targets critical of the Arab monarchy.
Stealth Falcon has been identified as having used more zero-day exploits than any other group from 2016 to 2019.
Discovery of Deadglyph
Deadglyph, the latest addition to Stealth Falcon’s arsenal, was discovered during an intrusion at a Middle Eastern governmental entity.
The exact method used to deliver the implant is unknown, but it involves a shellcode loader that extracts and loads shellcode from the Windows Registry.
Deadglyph engages in evasive maneuvers and can uninstall itself to avoid detection.
The commands received from the server fall into three categories: Orchestrator tasks, Executor tasks, and Upload tasks.
Executor tasks allow the management of the backdoor and execution of additional modules.
Orchestrator tasks manage the configuration of the Network and Timer modules and can cancel pending tasks.
Deadglyph has counter-detection mechanisms and can monitor system processes and implement randomized network patterns.
The backdoor is capable of uninstalling itself to minimize the likelihood of detection.
Security teams express concerns about the permission scopes granted to third-party apps connected to hub apps like Salesforce, Google Workspace, or Microsoft 365.
SaaS Security Posture Management (SSPM) solutions can identify integrated third-party apps and present their permission scopes for risk assessment.
Malicious apps have emerged that connect to SaaS applications and perform unauthorized activities with the data.
Threat actors often use phishing attacks or typo-ridden websites to connect malicious apps to core SaaS apps with sufficient permissions.
Malicious apps may perform promised functionality but can strike as needed.
Dangers posed by malicious apps include data encryption and SaaS ransomware attacks.
Security teams should prioritize protecting data stored within SaaS apps and require SaaS threat detection capabilities.
Visibility into third-party apps, their permissions, and contextual information is crucial for detecting malicious apps.
Hub apps’ security settings should be configured to prevent malicious attacks or limit their damage.
An SSPM with interconnectivity app detection capability can detect and prevent malicious apps from taking over hub apps.
SSPM can trigger alerts for high app permission sets or use AI to uncover anomalies indicating malicious apps.
Demos are available to showcase how to gain visibility and secure third-party apps.
Targeting of Ahmed Altantawy
A leading Egyptian opposition politician, Ahmed Altantawy, was targeted with spyware after announcing his presidential bid.
Security researchers at Citizen Lab and Google’s Threat Analysis Group discovered the attempted hack.
The discovery prompted Apple to release operating system updates to patch the vulnerabilities.
Altantawy’s connection to the Vodafone Egypt mobile network was configured to automatically infect his devices with the Predator spyware if he visited certain websites without using the secure HTTPS protocol.
The spyware exploit chain was sent to Altantawy’s phone via SMS and WhatsApp links from Egyptian soil.
The Predator spyware turns a smartphone into a remote eavesdropping device and allows the attacker to steal data.
Egypt has been identified as a customer of Predator’s maker, Cytrox.
Altantawy’s phone was successfully hacked with Predator in a separate incident in 2021.
Predator infections have been documented in other cases involving exiled Egyptians and customers in countries including Armenia, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.
Altantawy announced his bid to challenge President Abdel Fatah el-Sissi in 2024, who has been accused of cracking down on political opposition.
Altantawy and his supporters have complained of harassment.
Apple offers lockdown mode for high-risk users targeted with spyware.
The U.S. has added Cytrox to its blacklist for developing surveillance tools that threaten national security.
The use of Predator in Greece led to the resignation of two top government officials.
This discovery adds to the number of zero-day vulnerabilities in Apple software that have been patched this month.
Article X-ray
Here are all the sources used to create this article:
A mysterious locked door with a falcon emblem, hinting at a hidden threat.
This section links each of the article’s facts back to its original source.
If you have any suspicions that false information is present in the article, you can use this section to investigate where it came from.
| thehackernews.com |
|---|
| – Cybersecurity researchers have discovered a new advanced backdoor called Deadglyph used by a threat actor known as Stealth Falcon. – Deadglyph’s architecture is unusual as it consists of cooperating components, one a native x64 binary and the other a .NET assembly. – |
| The use of different programming languages may be a deliberate tactic to hinder analysis. |
| – Deadglyph receives commands from an actor-controlled server in the form of additional modules that allow it to create new processes, read files, and collect information. |
| – Stealth Falcon, also known as FruityArmor, was first exposed in 2016 and has been linked to targeted spyware attacks in the Middle East. – Stealth Falcon is believed to be the same group as Project Raven, a clandestine operation involving former U.S. intelligence operatives spying on targets critical of the Arab monarchy. – |
| The group has been linked to the zero-day exploitation of Windows flaws and has used more zero-days than any other group from 2016 to 2019. |
| – Deadglyph is the latest addition to Stealth Falcon’s arsenal and was discovered during an intrusion at a Middle Eastern governmental entity. – |
| The exact method used to deliver the implant is unknown, but it involves a shellcode loader that extracts and loads shellcode from the Windows Registry. |
| – Deadglyph engages in evasive maneuvers and can uninstall itself to avoid detection. – |
| The commands received from the server fall into three categories: Orchestrator tasks, Executor tasks, and Upload tasks. – Executor tasks allow the management of the backdoor and execution of additional modules. – Orchestrator tasks manage the configuration of the Network and Timer modules and can cancel pending tasks. |
| – Deadglyph has counter-detection mechanisms and can monitor system processes and implement randomized network patterns. – |
| The backdoor is capable of uninstalling itself to minimize the likelihood of detection. |
| thehackernews.com |
|---|
| – Security teams are concerned about the permission scopes granted to third-party apps connected to hub apps like Salesforce, Google Workspace, or Microsoft 365. – SaaS Security Posture Management (SSPM) solutions can identify integrated third-party apps and present their permission scopes for risk assessment. |
| – Malicious apps have emerged that connect to SaaS applications and perform unauthorized activities with the data. |
| – Threat actors use phishing attacks or typo-ridden websites to connect malicious apps to core SaaS apps with sufficient permissions. |
| – Malicious apps can be published on app stores, delivering functionality while hiding malicious acts. |
| – Malicious apps may perform promised functionality but can strike as needed. |
| – Dangers posed by malicious apps include data encryption and SaaS ransomware attacks. – Security teams should prioritize protecting data stored within SaaS apps and require SaaS threat detection capabilities. – Visibility into third-party apps, their permissions, and contextual information is crucial for detecting malicious apps. – Hub apps’ security settings should be configured to prevent malicious attacks or limit their damage. – |
| An SSPM with interconnectivity app detection capability can detect and prevent malicious apps from taking over hub apps. – SSPM can trigger alerts for high app permission sets or use AI to uncover anomalies indicating malicious apps. – Demos are available to showcase how to gain visibility and secure third-party apps. |
| securityweek.com |
|---|
| – A leading Egyptian opposition politician, Ahmed Altantawy, was targeted with spyware after announcing a presidential bid. – Security researchers at Citizen Lab and Google’s Threat Analysis Group discovered the attempted hack. – |
| The discovery prompted Apple to release operating system updates to patch the vulnerabilities. – Altantawy’s connection to the Vodafone Egypt mobile network was configured to automatically infect his devices with the Predator spyware if he visited certain websites without using the secure HTTPS protocol. – |
| The spyware exploit chain was sent to Altantawy’s phone via SMS and WhatsApp links from Egyptian soil. – |
| The Predator spyware turns a smartphone into a remote eavesdropping device and allows the attacker to steal data. |
| – Egypt has been identified as a customer of Predator’s maker, Cytrox. |
| – Altantawy’s phone was successfully hacked with Predator in a separate incident in 2021. |
| – Predator infections have been documented in other cases involving exiled Egyptians and customers in countries including Armenia, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia. |
| – Altantawy announced his bid to challenge President Abdel Fatah el-Sissi in 2024, who has been accused of cracking down on political opposition. – Altantawy and his supporters have complained of harassment. – Apple offers lockdown mode for high-risk users targeted with spyware. – |
| The U.S. has added Cytrox to its blacklist for developing surveillance tools that threaten national security. – |
| The use of Predator in Greece led to the resignation of two top government officials. – |
| This discovery adds to the number of zero-day vulnerabilities in Apple software that have been patched this month. |
English 
Portuguese 
Turkish 
Chinese 
German