Rewterz Threat Alert – New Advanced Backdoor Malware Deadglyph Uncovered in Government-Targeted Attacks – Active IOCs

Severity

High

Analysis Summary

A previously undiscovered advanced backdoor has come to light called as Deadglyph, which was seen being used by threat actor Stealth Falcon (aka Project Raven or FruityArmor) in a cyber espionage campaign against a government organization in the Middle East.

The modular malware is mainly targeting Windows devices and researchers have shared their analysis of it. They describe that the architecture of Deadglyph is unusual because it consists of cooperating components, one of them being a native x64 binary and the other a .NET assembly. The reason why this combination is unusual is because of only one programming language being used for the malware’s components

This points to the fact that they were developed separately to take advantage of unique features of the distinct programming languages. Researchers suspect that the use of different programming languages might also be a tactic to make analysis difficult.

The means of initial infection is unknown currently, but it is suspected to be through a malicious executable, like a program installer. Out of the two components used, only the initial one remains as a DLL file on the compromised system’s disk.

Unlike similar traditional backdoors, the commands for Deadglyph are received via an actor-operated server in the form of additional modules which then create new processes, collect information and read files from the victim systems. If the backdoor cannot establish a connection with the C2 server, it automatically removes itself from the system in order to prevent detection by cybersecurity researchers.

“Executor tasks offer the ability to manage the backdoor and execute additional modules,” said the researchers. “Orchestrator tasks offer the ability to manage the configuration of the Network and Timer modules, and also to cancel pending tasks.”

The threat actor group behind Deadglyph has been linked to zero-day exploitation of various Windows vulnerabilities, most notably CVE-2018-8611 and CVE-2019-0797. Researchers have noted that this group exploited more zero-days than any other group from 2016 to 2019.

To be exact, Deadglyph, the latest addition to the Stealth Falcon cyber-arsenal, was discovered by a cybersecurity firm during an investigation into an intrusion at an undisclosed Middle Eastern governmental entity. While the exact delivery method remains unknown, Deadglyph’s execution is triggered by a shellcode loader that extracts and loads shellcode from the Windows Registry, subsequently launching its native x64 module, the Executor. This malware employs a .NET component called the Orchestrator to communicate with a command-and-control (C2) server while employing evasion tactics, including self-uninstallation. Commands from the C2 server fall into three categories: Orchestrator tasks, Executor tasks, and Upload tasks, allowing for various functions and data transfer. A control panel (CPL) file related to Deadglyph was identified in Qatar, potentially linked to a shellcode downloader resembling Deadglyph. The malware is named after artifacts within it, and it employs counter-detection mechanisms, such as system process monitoring and randomized network patterns, along with self-uninstallation to reduce the risk of detection.

“Deadglyph boasts a range of counter-detection mechanisms, including continuous monitoring of system processes and the implementation of randomized network patterns. Furthermore, the backdoor is capable of uninstalling itself to minimize the likelihood of its detection in certain cases”, the company concludes

Impact

• Unauthorized Access
• Espionage
• Data Theft

Indicators of Compromise

IP

45.14.227.55

MD5

• 64f47ce2f7528b48c6cc9cddc1f48fa3

SHA-256

• 5671b3a89c0e88a9bfb0bd5bc434fa5245578becfdeb284f4796f65eecbd6f15

SHA-1

• 7f728d490ed6ea64a7644049914a7f2a0e563969

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets.
• Use network monitoring and intrusion detection systems to identify compromised systems.
• Isolate infected systems from the network to prevent further communication with the command-and-control server.
• Activate an incident response plan to coordinate actions and responsibilities among relevant teams within the organization.
• Ensure that all systems, applications, and software are up-to-date with the latest security patches and updates. 
• Implement robust network security measures, including firewalls, intrusion detection and prevention systems, and network segmentation to limit lateral movement.
• Review and harden system configurations to minimize attack surfaces and reduce the likelihood of successful exploitation.
• Implement MFA for critical systems and accounts to add an extra layer of security, making it harder for attackers to gain unauthorized access.
• Maintain regular backups of critical data and systems. Ensure backups are stored securely and can be quickly restored in case of data loss.
• Conduct a thorough analysis of the incident to understand how the backdoor was deployed and whether any data was exfiltrated.