{"id":3741,"date":"2019-09-24T11:11:23","date_gmt":"2019-09-24T08:11:23","guid":{"rendered":"https:\/\/blog.eset.ee\/?p=3741"},"modified":"2019-09-24T10:25:43","modified_gmt":"2019-09-24T07:25:43","slug":"eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2019\/09\/24\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\/","title":{"rendered":"ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group"},"content":{"rendered":"\n<p>Stealth Falcon is a threat group, active since 2012,\nthat targets political activists and journalists in the Middle East. Some\nanalysts link it to Project Raven, an initiative allegedly employing former NSA\noperatives. Read more details on <a href=\"https:\/\/welivesecurity.com\/2019\/09\/09\/backdoor-stealth-falcon-group\/\">this\nlink<\/a>. <\/p>\n\n\n\n<p>Limited technical information about Stealth Falcon has\nalready been made public, including an analysis of the key component of the\nmalware \u2013 a PowerShell-based backdoor delivered via a weaponized document that was\nincluded in a malicious email. <\/p>\n\n\n\n<p>ESET researchers discovered a previously unreported\nexecutable backdoor they named Win32\/StealthFalcon. They have seen a small\nnumber of attacks with this malware in UAE, Saudi Arabia, Thailand, and the\nNetherlands; in the latter case, the target was a diplomatic mission of a\nMiddle Eastern country.<\/p>\n\n\n\n<p>ESET research has revealed similarities between the\nnewly discovered executable backdoor and the PowerShell script with backdoor\ncapabilities previously attributed to the Stealth Falcon group. ESET researchers\nconsider the similarities to be strong evidence that both backdoors are the\nwork of the same group.<\/p>\n\n\n\n<p>Win32\/StealthFalcon uses a rather unusual technique to\ncommunicate with its command and control (C&amp;C) server: the standard Windows\ncomponent Background Intelligent Transfer Service (BITS). <\/p>\n\n\n\n<p>Compared to traditional communication via API\nfunctions, the BITS mechanism is exposed through a COM interface and thus is\nharder to detect. Moreover, this design is reliable and stealthy, and more likely\nto be permitted by host firewalls.<\/p>\n\n\n\n<p>In addition to its unusual C&amp;C communication, Win32\/StealthFalcon\nhas some advanced techniques to prevent detection\/analysis, ensure persistence\nand complicate forensic analysis. <\/p>\n\n\n\n<p>For more details, read the blogpost \u201c<a href=\"https:\/\/welivesecurity.com\/2019\/09\/09\/backdoor-stealth-falcon-group\/\">ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group<\/a>\u201d on WeLiveSecurity.com. Make sure to follow <a href=\"https:\/\/twitter.com\/ESETresearch\">ESET research on Twitter<\/a> for the latest news from ESET research.<\/p>\n\n\n\n<p>Source: <a href=\"https:\/\/www.welivesecurity.com\/2019\/09\/09\/backdoor-stealth-falcon-group\/\">Welivesecurity<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Stealth Falcon is a threat group, active since 2012, that targets political activists and journalists in the Middle East. Some analysts link it to Project Raven, an initiative allegedly employing former NSA operatives. Read more details on this link. Limited technical information about Stealth Falcon has already been made public, including an analysis of the<\/p>\n","protected":false},"author":5,"featured_media":3742,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[160],"tags":[],"class_list":["post-3741","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.2 (Yoast SEO v27.6) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group - ESET Eesti Blogi<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.eset.ee\/et\/en\/2019\/09\/24\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group\" \/>\n<meta property=\"og:description\" content=\"Stealth Falcon is a threat group, active since 2012, that targets political activists and journalists in the Middle East. Some analysts link it to Project Raven, an initiative allegedly employing former NSA operatives. Read more details on this link. Limited technical information about Stealth Falcon has already been made public, including an analysis of the\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.eset.ee\/et\/en\/2019\/09\/24\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\/\" \/>\n<meta property=\"og:site_name\" content=\"ESET Eesti Blogi\" \/>\n<meta property=\"article:publisher\" content=\"http:\/\/www.facebook.com\/antiviirus\" \/>\n<meta property=\"article:published_time\" content=\"2019-09-24T08:11:23+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2019\/09\/Stealthfalcon_square.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"1600\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"ESET Blog\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ESET Blog\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/09\\\/24\\\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/09\\\/24\\\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\\\/\"},\"author\":{\"name\":\"ESET Blog\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#\\\/schema\\\/person\\\/876cf293277fc0b2ae2f4395fffe4c88\"},\"headline\":\"ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group\",\"datePublished\":\"2019-09-24T08:11:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/09\\\/24\\\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\\\/\"},\"wordCount\":304,\"image\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/09\\\/24\\\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/Stealthfalcon_square.png\",\"articleSection\":[\"malware\"],\"inLanguage\":\"en-US\",\"copyrightYear\":\"2019\",\"copyrightHolder\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/#organization\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/09\\\/24\\\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\\\/\",\"url\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/09\\\/24\\\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\\\/\",\"name\":\"ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group - ESET Eesti Blogi\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/09\\\/24\\\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/09\\\/24\\\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/Stealthfalcon_square.png\",\"datePublished\":\"2019-09-24T08:11:23+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#\\\/schema\\\/person\\\/876cf293277fc0b2ae2f4395fffe4c88\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/09\\\/24\\\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/09\\\/24\\\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/09\\\/24\\\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\\\/#primaryimage\",\"url\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/Stealthfalcon_square.png\",\"contentUrl\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/Stealthfalcon_square.png\",\"width\":1600,\"height\":1600},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/09\\\/24\\\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/\",\"name\":\"ESET Eesti Blogi\",\"description\":\"Uudised IT maailmast\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#\\\/schema\\\/person\\\/876cf293277fc0b2ae2f4395fffe4c88\",\"name\":\"ESET Blog\",\"sameAs\":[\"http:\\\/\\\/eset.ee\"],\"url\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/author\\\/allankinsigo\\\/\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2019\\\/09\\\/24\\\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\\\/#local-main-organization-logo\",\"url\":\"\",\"contentUrl\":\"\",\"caption\":\"ESET EESTI\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group - ESET Eesti Blogi","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.eset.ee\/et\/en\/2019\/09\/24\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\/","og_locale":"en_US","og_type":"article","og_title":"ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group","og_description":"Stealth Falcon is a threat group, active since 2012, that targets political activists and journalists in the Middle East. Some analysts link it to Project Raven, an initiative allegedly employing former NSA operatives. Read more details on this link. Limited technical information about Stealth Falcon has already been made public, including an analysis of the","og_url":"https:\/\/blog.eset.ee\/et\/en\/2019\/09\/24\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\/","og_site_name":"ESET Eesti Blogi","article_publisher":"http:\/\/www.facebook.com\/antiviirus","article_published_time":"2019-09-24T08:11:23+00:00","og_image":[{"width":1600,"height":1600,"url":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2019\/09\/Stealthfalcon_square.png","type":"image\/png"}],"author":"ESET Blog","twitter_card":"summary_large_image","twitter_misc":{"Written by":"ESET Blog","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.eset.ee\/et\/en\/2019\/09\/24\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\/#article","isPartOf":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2019\/09\/24\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\/"},"author":{"name":"ESET Blog","@id":"https:\/\/blog.eset.ee\/et\/en\/#\/schema\/person\/876cf293277fc0b2ae2f4395fffe4c88"},"headline":"ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group","datePublished":"2019-09-24T08:11:23+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2019\/09\/24\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\/"},"wordCount":304,"image":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2019\/09\/24\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2019\/09\/Stealthfalcon_square.png","articleSection":["malware"],"inLanguage":"en-US","copyrightYear":"2019","copyrightHolder":{"@id":"https:\/\/blog.eset.ee\/et\/#organization"}},{"@type":"WebPage","@id":"https:\/\/blog.eset.ee\/et\/en\/2019\/09\/24\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\/","url":"https:\/\/blog.eset.ee\/et\/en\/2019\/09\/24\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\/","name":"ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group - ESET Eesti Blogi","isPartOf":{"@id":"https:\/\/blog.eset.ee\/et\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2019\/09\/24\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\/#primaryimage"},"image":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2019\/09\/24\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2019\/09\/Stealthfalcon_square.png","datePublished":"2019-09-24T08:11:23+00:00","author":{"@id":"https:\/\/blog.eset.ee\/et\/en\/#\/schema\/person\/876cf293277fc0b2ae2f4395fffe4c88"},"breadcrumb":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2019\/09\/24\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.eset.ee\/et\/en\/2019\/09\/24\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.eset.ee\/et\/en\/2019\/09\/24\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\/#primaryimage","url":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2019\/09\/Stealthfalcon_square.png","contentUrl":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2019\/09\/Stealthfalcon_square.png","width":1600,"height":1600},{"@type":"BreadcrumbList","@id":"https:\/\/blog.eset.ee\/et\/en\/2019\/09\/24\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.eset.ee\/et\/en\/"},{"@type":"ListItem","position":2,"name":"ESET discovered an undocumented backdoor used by the infamous Stealth Falcon group"}]},{"@type":"WebSite","@id":"https:\/\/blog.eset.ee\/et\/en\/#website","url":"https:\/\/blog.eset.ee\/et\/en\/","name":"ESET Eesti Blogi","description":"Uudised IT maailmast","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.eset.ee\/et\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.eset.ee\/et\/en\/#\/schema\/person\/876cf293277fc0b2ae2f4395fffe4c88","name":"ESET Blog","sameAs":["http:\/\/eset.ee"],"url":"https:\/\/blog.eset.ee\/et\/en\/author\/allankinsigo\/"},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.eset.ee\/et\/en\/2019\/09\/24\/eset-discovered-an-undocumented-backdoor-used-by-the-infamous-stealth-falcon-group\/#local-main-organization-logo","url":"","contentUrl":"","caption":"ESET EESTI"}]}},"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/3741","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=3741"}],"version-history":[{"count":0,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/3741\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/3742"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=3741"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=3741"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=3741"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}