Cybersecurity researchers have discovered a new computer virus associated with the Stealth Falcon state-sponsored cyber espionage group that abuses a built-in component of the Microsoft Windows operating system to stealthily take stolen data to the attacker control server. Stealth Falcon a sophisticated hacking group based in the United Arab Emirates (UAE). The hacking group is known for targeting journalist-activist lawyers and dissidents in the Middle East. Dubbed Win32/Stealth Falcon, named after the hacking group, the malware communicates and sends collected data to its remote command-and-control (C&C) servers using Windows Background Intelligent Transfer Service (BITS).
BITS or Background Intelligent Transfer Service is used for downloading files from the servers and is commonly is used by software updaters. It is also used for downloading and installing files on Windows 10, messengers and other applications. According to ESET security researcher as host-based firewalls are more likely to align itself to BITS tasks it allows malware to operate in the background and steal data without giving any warning beforehand. The malware first encrypts the data and then uploads a copy of the encrypted data to the command and control server via Background Intelligent Transfer Service (BITS).
Image source: www.bankinfosecurity.com
Once the data is stolen the malware removes all the credential and collects the confidential information after which the malware rewrites and fields with random values so to remove any backlinks that can be tracked by the forensic analyst. As explained in the report, Win32/Stealth Falcon backdoor has not only been designed to steal data from the compromised systems but can also be used by attackers to further deploy more updates by sending in communication back and forth from command and control. The new malware uses Power Shell based which is attributed to the Stealth Falcon group tracked by Citizen Lab 2016 to share command and control and code information.
Image source: www.cpomagazine.com
Source: The Hacker News
Disclaimer: Darkweblink.com does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither Darkweblink.com nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation with the reliance on or usage of any content, goods or services mentioned in this article.