A malware campaign by Stealth Falcon group discovered
ESET researchers, along with previous researches by Citizen Labs and International Amnesty, has discovered a spyware dissemination campaign.
It has been determined that the Stealth Falcon group is responsible for this campaign. After the investigation, possible links with the Project Raven group have been shown, being able to be both groups the same.
The modus operandi of this campaign was through a malicious attachment received by email. Once it ran on the target machine, the malware was installed and set up a PowerShell-based backdoor to communicate with the Command and Control (C&C) server.
The peculiarity of this malware lies in the use of the Windows Background Intelligent Transfer Service (BITS), which allows the transfer speed to be adjusted according to the available bandwidth. This type of service is commonly used in programs designed to work in the background.
References:
- 09/09/2019 welivesecurity.com ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group
- 09/09/2019 threatpost.com Stealth Falcon Targets Middle East with Windows BITS Feature
- 10/09/2019 unaaldia.hispasec.com Malware utiliza el servicio BITS de Windows para robar datos