Researchers at ESET have shared technical details on a sophisticated, previously undocumented backdoor called ‘Deadglyph’ used in a cyberespionage attack against a government entity in the Middle East.

ESET has attributed the attack to Stealth Falcon (aka Project Raven or FruityArmor), a threat actor linked to the United Arab Emirates known to target political activists, journalists, and dissidents in the Middle East. In 2019, ESET observed the group using the Win32/StealthFalcon backdoor, which leverages the standard Windows component BITS.

The most recent campaign by the threat actor involves a modular malware that consists of cooperating components – one a native x64 binary, the other a .NET assembly.

“This combination is unusual because malware typically uses only one programming language for its components. This difference might indicate separate development of those two components while also taking advantage of unique features of the distinct programming languages they utilize. Different language can also be harnessed to hinder analysis, because mixed code is more difficult to navigate and debug,” ESET said.

Unlike other backdoors, Deadglyph doesn’t implement traditional backdoor commands, instead, the commands are dynamically received from the command and control (C&C) server in the form of additional modules.

The researchers said they obtained free modules - a process creator, a file reader, and an info collector.

The loading chain for Deadglyph involves the DLL responsible for extracting code from the Windows registry, the Executor component that loads the .NET part of the backdoor – the Orchestrator, which establishes communication with the C&C servers and downloads the commands. Unlike other preceding components, the Orchestrator is obfuscated, employing .NET Reactor.

“Executor tasks offer the ability to manage the backdoor and execute additional modules. It’s notable that the traditional backdoor functionality is not inherently present within the binary itself,” ESET noted. “Instead, these functions are obtained from the C&C server in the form of PE files or shellcode. The full extent of the backdoor’s potential remains unknown without these additional modules, which effectively unlock its true capabilities.”

Deadglyph comes with a range of counter-detection mechanisms, including continuous monitoring of system processes and the implementation of randomized network patterns. The malware is also capable of uninstalling itself to reduce the risk of detection, ESET said.