SAS: Hunting Desert Falcons

Monday, February 23, 2015 @ 05:02 PM gHale

A cyber espionage group targeting multiple high profile organizations and individuals from Middle East countries is on the prowl, researchers said.

This is the first known Arabic group of cyber mercenaries to develop and run full-scale cyber-espionage operations, said researchers at Kaspersky Lab, who discovered the group called Desert Falcons and discussed the findings at its Security Analyst Summit 2015 (SAS) in Cancun, Mexico, last week.

SAS: Reprogramming Hard Drives
Complex Security Should be Easy
SAS: Security for Accelerator
SAS: Security a ‘Workable Problem’

Kaspersky researchers found:
• The campaign has been active for at least two years. Desert Falcons started developing and building their operation in 2011, with their main campaign and real infection beginning in 2013. The peak of their activity was at the beginning of 2015
• The vast majority of targets are in Egypt, Palestine, Israel and Jordan
• Apart from the Middle East countries focused on as initial targets, Desert Falcons are also hunting out of the territory. In total, they have been able to attack more than 3,000 victims in 50+ countries globally, with over one million files stolen.
• The attackers utilize proprietary malicious tools for attacks on Windows PCs and Android-based devices
• The attackers behind Desert Falcons are native Arabic speakers

“The individuals behind this threat actor are highly determined, active and with good technical, political and cultural insight,” said Dmitry Bestuzhev, researcher at Kaspersky Lab’s Global Research and Analysis Team. “Using only phishing emails, social engineering and homemade tools and backdoors, the Desert Falcons were able to infect hundreds of sensitive and important victims in the Middle East region through their computer systems or mobile devices, and exfiltrate sensitive data.”
The list of targeted victims include military and government organizations, especially employees responsible for countering money laundering as well as health and the economy; leading media outlets; research and education institutions; energy and utilities providers; activists and political leaders; physical security companies; and other targets in possession of important geopolitical information.

In total Kaspersky Lab researchers were able to find signs of more than 3000 victims in 50+ countries, with more than one million files stolen. Although the main focus of Desert Falcons’ activity appears to be in countries such as Egypt, Palestine, Israel and Jordan, multiple victims were also found in Qatar, KSA, UAE, Algeria, Lebanon, Norway, Turkey, Sweden, France, United States, Russia and other countries.

The main method used by the Falcons to deliver the malicious payload is spear phishing via emails, social networking posts and chat messages. Phishing messages contained malicious files (or a link to malicious files) masquerading as legitimate documents or applications. Desert Falcons use several techniques to entice victims into running the malicious files. One of the most specific techniques is the right-to-left extension override trick.

This method takes advantage of a special character in Unicode to reverse the order of characters in a file name, hiding the dangerous file extension in the middle of the file name and placing a harmless-looking fake file extension near the end of the file name. Using this technique, malicious files (.exe, .scr) will look like a harmless document or pdf file; and even careful users with good technical knowledge could end up tricked into running these files. For example, a file ending with .fdp.scr would appear .rcs.pdf.

After the successful infection of a victim, Desert Falcons would use one of two different backdoors: The main Desert Falcons’ Trojan or the DHS Backdoor, which both appear developed from scratch and are in continuous development. Kaspersky Lab experts were able to identify over 100 malware samples used by the group in their attacks.

“We expect this operation to carry on developing more Trojans and using more advanced techniques,” Bestuzhev said. “With enough funding, they might be able to acquire or develop exploits that would increase the efficiency of their attacks.”

Leave a Reply

You must be logged in to post a comment.