Undocumented backdoor used by Stealth Falcon group

StealthFalcon is a backdoor, created in 2015 by the Stealth Falcon advanced persistent threat group for use in their own campaigns. Stealth Falcon are a threat group, active since 2012, that targets political activists and journalists in the Middle East.

The backdoor was discovered by ESET researchers who came across the backdoor, and it named Win32/StealthFalcon.

Once installed, StealthFalcon will initiate a connection with a command and control (C2) server by using the standard Windows component Background Intelligent Transfer Service (BITS) before attempting to extract files. If StealthFalcon fails to connect to one of its two C2 severs, it will remove itself. Stealth Falcon is also able to install other payloads including cryptocurrency miners and ransomware tools.

ESET’s research did not look at how StealthFalcon is deployed nor did it discuss which nation or group with which it is specifically affiliated.

Indicators of Compromise

Win32/StealthFalcon

SHA-1

31B54AEBDAF5FBC73A66AC41CCB35943CC9B7F72
50973A3FC57D70C7911F7A952356188B9939E56B
244EB62B9AC30934098CA4204447440D6FC4E259
5C8F83CC4FF57E7C67925DF4D9DAABE5D0CC07E2

RC4 keys

258A4A9D139823F55D7B9DA1825D101107FBF88634A870DE9800580DAD556BA3
2519DB0FFEC604D6C9A655CF56B98EDCE10405DE36810BC3DCF125CDE30BA5A2
3EDB6EA77CD0987668B360365D5F39FDCF6B366D0DEAC9ECE5ADC6FFD20227F6
8DFFDE77A39F3AF46D0CE0B84A189DB25A2A0FEFD71A0CD0054D8E0D60AB08DE

C&C servers

footballtimes[.]info
vegetableportfolio[.]com
windowsearchcache[.]com
electricalweb[.]org
upnpdiscover[.]org

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: