The cyberespionage group Stealth Falcon is using a previously unreported binary backdoor along with Windows BITS to communicate with its command and controls server.
The revelation was made by ESET researchers who came across the backdoor, which it named Win32/StealthFalcon, which the security firm believes has many similarities with another PowerShell script with backdoor capabilities attributed that have been attributed to the Stealth Falcon group.
So far, the malware, which was likely first created in 2015, has been used against targets in the UAE, Saudi Arabia, Thailand, and the Netherlands. The Netherlands incident involved the diplomatic mission of a Middle Eastern nation in that country. This modus operandi matches that of earlier Stealth Falcon missions that were aimed at Middle Eastern targets, ESET wrote.
ESET called using Windows BITS “unusual” but noted the fact that since BITS is normally used for handling trusted communication like updaters and messengers, it is likely to be allowed past most firewalls and its normal operation makes it appear less threatening.
“Compared with traditional communication via API functions, the BITS mechanism is exposed through a COM interface and thus harder for a security product to detect. Moreover, this design is reliable and stealthy. The transfer resumes automatically after being interrupted for reasons like a network outage, the user logging out, or a system rebootMoreover, because BITS can adjust the rate at which files are transferred based on the bandwidth available, the user has no reason for suspicion,” ESET wrotw.
StealthFalcon also has a redundancy feature that allows it to communicate to two separate C2 servers and if after several failed attempts it is unable to initiate contact the malware uninstalls itself.
Other features include the ability to uninstall itself, update configuration data, execute the specified application, write downloaded data to file, prepare a file for exfiltration and exfiltrate and delete files.
ESET’s research did not look at how StealthFalcon is deployed nor did it discuss which nation or group with which it is specifically affiliated.