ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group

guest · Sep 9, 2019

ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group
September 9, 2019
https://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/

Stealth Falcon is a threat group, active since 2012, that targets political activists and journalists in the Middle East. It has been tracked by the Citizen Lab, a non-profit organization focusing on security and human rights, which published an analysis of a particular cyberattack in 2016. In January of 2019, Reuters published an investigative report into Project Raven, an initiative allegedly employing former NSA operatives and aiming at the same types of targets as Stealth Falcon.

Based on these two reports referring to the same targets and attacks, Amnesty International’s Senior Technologist, Claudio Guarnieri, has concluded that Stealth Falcon and Project Raven actually are the same group.

Now, we have found a previously unreported binary backdoor we have named Win32/StealthFalcon. In this article, we disclose similarities between this binary backdoor and the PowerShell script with backdoor capabilities attributed to the Stealth Falcon group. We consider the similarities to be strong evidence that Win32/StealthFalcon was created by this group.
Click to expand...

C&C communication
In its communication with the C&C server, Win32/StealthFalcon uses the standard Windows component Background Intelligent Transfer Service (BITS), a rather unusual technique. BITS was designed to transfer large amounts of data without consuming a lot of network bandwidth, which it achieves by sending the data with throttled throughput so as not to affect the bandwidth needs of other applications

Compared with traditional communication via API functions, the BITS mechanism is exposed through a COM interface and thus harder for a security product to detect. Moreover, this design is reliable and stealthy.
Click to expand...

Rasheed187 · Sep 14, 2019

OK cool, but if you disable the BITS service, I suppose this method doesn't work. Of course, the status of services should also be monitored, because otherwise malware can simply enable/disable certain services.

itman · Sep 15, 2019

Rasheed187 said: ↑

OK cool, but if you disable the BITS service, I suppose this method doesn't work.
Click to expand...

If you disable BITS on Win 10, you're going to bork a lot of stuff. Win Updates and other Microsoft processes use it to speed up downloads. Also some app software like AV software also use it for their downloads.

Rasheed187 · Sep 21, 2019

itman said: ↑

If you disable BITS on Win 10, you're going to bork a lot of stuff. Win Updates and other Microsoft processes use it to speed up downloads. Also some app software like AV software also use it for their downloads.
Click to expand...

Yes correct, but I don't often update Windows and avoid using AV's. But most people should indeed not disable this service.

Log in or Sign up

ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group

guest Guest

Rasheed187 Registered Member

itman Registered Member

Rasheed187 Registered Member

Log in or Sign up

ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group

guest Guest

Rasheed187 Registered Member

itman Registered Member

Rasheed187 Registered Member

Useful Searches