Security researchers from
Stealth Falcon is a nation-state actor active since at least 2012, the group targeted political activists and journalists in the Middle East in past campaigns. In 2016, researchers from non-profit organization CitizenLab published a report that describes a campaign of targeted spyware attacks carried by the Stealth Falcon. The attacks have been conducted from 2012 until 2106, against Emirati journalists, activists, and dissidents.
In January of 2019, Reuters published a report into Project Raven, a campaign allegedly conducted by former NSA operatives and aiming at the same types of targets as Stealth Falcon.
Based on the two analysis, Amnesty International’s Senior Technologist, Claudio Guarnieri, has concluded that Stealth Falcon and Project Raven actually are the threat actor.
The Windows Background Intelligent Transfer Service (BITS) service is a built-in component of the Microsoft Windows operating system. The BITS service is used by programmers and system administrators to download files from or upload files to HTTP web servers and SMB file shares.
The malware analyzed by ESET, dubbed Win32/StealthFalcon, collect data and send to its C&C servers using the BITS service.
“The Win32/StealthFalcon backdoor, which appears to have been created in 2015, allows the attacker to control the compromised computer remotely. We have seen a small number of targets in UAE, Saudi Arabia, Thailand, and the Netherlands; in the latter case, the target was a diplomatic mission of a Middle Eastern country.” reads the analysis published by ESET.
The abuse of the BITS mechanism is hard to be detected, its tasks are more likely permitted by host-based firewalls. The transfer resumes automatically after
“Compared with traditional communication via API functions, the BITS mechanism is exposed through a COM interface and thus harder for a security product to detect. Moreover, this design is reliable and stealthy.” continues the report. “The transfer resumes automatically after being interrupted for reasons like a network outage, the user logging out, or a system
The malicious code doesn’t
The malware regularly checks for this kind of files and upload them automatically to the C&C via BITS. Once the data has been
The Win32/StealthFalcon backdoor only supports basic commands and could be also used to deploy malicious tools and update its configuration.
The experts attribute the StealthFalcon backdoor to
“Similarities in the code and infrastructure with a previously known malware by Stealth Falcon drive us to the conclusion that the Win32/StealthFalcon backdoor is also the work of this threat group.” concludes the report.
(SecurityAffairs – StealthFalcon backdoor, Stealth Falcon)